LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47650: ASoC: soc-compress: prevent the potentially use of null pointer

In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-compress: prevent the potentially use of null pointer There is one call trace that snd_soc_register_card() ->snd_soc_bind_card()->soc_init_pcm_runtime() ->snd_soc_dai_compress_new()->snd_soc_new_compress(). In the trace the 'codec_dai' transfers from card->dai_link, and we can see from the snd_soc_add_pcm_runtime() in snd_soc_bind_card() that, if value of card->dai_link->num_codecs is 0, then 'codec_dai' could be null pointer caused by index out of bound in 'asoc_rtd_to_codec(rtd, 0)'. And snd_soc_register_card() is called by various platforms. Therefore, it is better to add the check in the case of misusing. And because 'cpu_dai' has already checked in soc_init_pcm_runtime(), there is no need to check again. Adding the check as follow, then if 'codec_dai' is null, snd_soc_new_compress() will not pass through the check 'if (playback + capture != 1)', avoiding the leftover use of 'codec_dai'.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2021-47650 is a Linux kernel audio subsystem defect where an invalid ASoC card configuration could lead to use of a null codec pointer during compressed audio setup. The sources describe a defensive kernel fix, but provide no CVSS score, confirmed impact, or exploitation evidence.

Executive priority

Treat as a patch-management item unless your fleet includes Linux-based embedded, mobile, appliance, or media devices using SoC audio. There is no source-backed evidence of active exploitation or high business urgency.

Technical view

In the ASoC compressed-audio registration path, codec_dai can become null when card->dai_link->num_codecs is 0. The fix adds a codec_dai check in snd_soc_new_compress(), preventing later logic from using that null pointer.

Likely exposure

Exposure is limited to Linux kernels using affected ASoC compressed-audio code paths, typically systems with relevant SoC audio drivers. The bundle lists Linux as affected and includes stable kernel fix references.

Exploitation context

No active exploitation is indicated. The CVE is not marked KEV, and the provided sources do not describe exploitability, attacker prerequisites, or weaponized use.

Researcher notes

The record lacks CVSS, CWE, explicit impact, and exploitability details. Analysis should stay focused on the null codec_dai defensive check and affected stable kernel lines named by the CVE sources.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable fixes.
  • Check vendor or distribution kernel advisories for backported fixes.
  • Prioritize embedded or appliance fleets using SoC audio hardware.
  • Avoid assuming non-audio Linux servers are exposed without kernel and hardware validation.

Validation and detection

  • Inventory kernel versions and distribution patch levels.
  • Identify systems using ASoC and compressed-audio kernel paths.
  • Confirm whether referenced stable commits are present or backported.
  • Review vendor advisories for affected kernel package status.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47650 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
7Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux467fece8fbc6774a3a3bd0981e1a342fb5022706, 467fece8fbc6774a3a3bd0981e1a342fb5022706, 467fece8fbc6774a3a3bd0981e1a342fb5022706, 467fece8fbc6774a3a3bd0981e1a342fb5022706, 467fece8fbc6774a3a3bd0981e1a342fb5022706, 467fece8fbc6774a3a3bd0981e1a342fb5022706unaffected
LinuxLinux5.4, 0, 5.4.189, 5.10.110, 5.15.33, 5.16.19, 5.17.2, 5.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.