PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43443 Linux CVE debrief

CVE-2026-43443 is a Linux kernel issue in the ASoC AMD ACP machine-driver code where clock acquisition return values were not checked in acp_card_rt5682_init() and acp_card_rt5682s_init(). If clk_get() returned an invalid pointer and later clock-core code dereferenced it, the kernel could crash. The upstream fix switches to devm_clk_get() and adds immediate IS_ERR() checks.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators running systems that include the affected AMD ACP ASoC machine-driver paths—especially where audio hardware support is enabled in kernels built from or based on the affected version range.

Technical summary

The flaw is a missing error-handling path during clock acquisition in the acp-mach-common code used by AMD ACP ASoC machine-driver initialization. NVD maps the issue to CWE-476 (NULL pointer dereference / invalid pointer dereference class) and assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, reflecting a locally reachable availability impact. NVD’s affected-version criteria cover Linux kernel versions starting at 5.16 through 6.19.9, plus 7.0-rc1, rc2, and rc3.

Defensive priority

Medium. This is a local, low-privilege availability issue rather than an integrity or confidentiality compromise, but kernel crashes are operationally significant. Prioritize if you ship kernels in the affected range or with downstream backports of the AMD ACP machine-driver code.

Recommended defensive actions

  • Confirm whether your kernel build includes the AMD ACP ASoC machine-driver code path referenced by the fix.
  • Apply the upstream kernel patches referenced by NVD, or upgrade to a kernel release that includes the fix.
  • If you maintain a downstream kernel, verify the devm_clk_get() conversion and IS_ERR() checks are present in acp_card_rt5682_init() and acp_card_rt5682s_init().
  • Review your vendor’s advisory or backport status for affected long-term-support kernel streams.
  • Reboot into the fixed kernel after patching and monitor for any boot-time or audio-subsystem regressions.

Evidence notes

This debrief is based on the CVE description and the NVD record. The CVE description states that acp_card_rt5682_init() and acp_card_rt5682s_init() did not check clk_get() return values, which could lead to a kernel crash when invalid pointers are later dereferenced by clock core functions. The NVD record is marked Analyzed, cites CWE-476, includes CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and links two upstream Linux kernel patch references.

Official resources

Official CVE publication context: published by NVD on 2026-05-08 and last modified on 2026-05-21. The NVD record cites two upstream Linux kernel patch references for remediation.