LiveActive security incident?Get immediate response
CVE Record

CVE-2024-58077: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback

In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback commit 1f5664351410 ("ASoC: lower "no backend DAIs enabled for ... Port" log severity") ignores -EINVAL error message on common soc_pcm_ret(). It is used from many functions, ignoring -EINVAL is over-kill. The reason why -EINVAL was ignored was it really should only be used upon invalid parameters coming from userspace and in that case we don't want to log an error since we do not want to give userspace a way to do a denial-of-service attack on the syslog / diskspace. So don't use soc_pcm_ret() on .prepare callback is better idea.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-58077 is a Linux kernel issue in the ALSA System-on-Chip audio path. The public record describes incorrect error-handling behavior around a prepare callback, not a broad remote compromise scenario. Severity is not scored in the supplied sources, so business urgency depends on whether affected Linux kernels are present in managed endpoints, embedded devices, or appliances.

Executive priority

Treat this as a routine kernel maintenance item unless affected high-value or hard-to-patch Linux devices are widespread. There is no supplied evidence of exploitation or critical severity, but kernel fixes should still follow normal patch governance.

Technical view

The fix avoids using soc_pcm_ret() in the ASoC soc-pcm .prepare callback because common handling suppressed -EINVAL too broadly. The source explains -EINVAL suppression was meant to avoid userspace-driven log or disk-space denial of service, but applying it from many functions was excessive. No CWE, CVSS, or exploit details are provided.

Likely exposure

Exposure is most likely on systems running affected Linux kernel builds with ASoC audio support. The supplied data names Linux kernel versions and stable backport references, but exact distribution package exposure should be confirmed through vendor advisories and installed kernel versions.

Exploitation context

The supplied sources do not show active exploitation, public exploit code, or CISA KEV listing. The described concern is local userspace-triggered error handling and logging behavior, not a documented remote attack path.

Researcher notes

Evidence is limited to the CVE record, upstream stable commits, and a Debian LTS announcement. The record lacks CVSS, CWE, proof-of-concept status, and detailed impact analysis. Avoid assuming exploitability beyond the stated userspace-triggered logging and error-handling context.

Mitigation direction

  • Check Linux distribution advisories for CVE-2024-58077 package status.
  • Prioritize kernel updates for affected endpoints, embedded systems, and appliances.
  • Apply vendor-supported stable kernel updates when available.
  • Track Debian LTS and upstream stable backports for deployed branches.

Validation and detection

  • Inventory Linux kernel versions across managed systems.
  • Identify devices using ASoC or embedded audio kernel paths.
  • Compare installed kernels against vendor CVE-2024-58077 advisories.
  • Confirm patched kernels include the referenced upstream stable commits.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-58077 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
6Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1f566435141047ca7db26aa4b0b6647a25badaee, 1f566435141047ca7db26aa4b0b6647a25badaee, 1f566435141047ca7db26aa4b0b6647a25badaee, 1f566435141047ca7db26aa4b0b6647a25badaeeunaffected
LinuxLinux6.5, 0, 6.6.78, 6.12.14, 6.13.3, 6.14affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.