CVE-2026-43480 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, OEMs, and operators of systems using AMD ACP3x audio with RT5682/MAX9836 codecs.

Technical summary

The acp3x_5682_init() path used clk_get() without validating the return value. If clock acquisition failed, rt5682_clk_enable() could dereference an error pointer in kernel space, which is an availability risk and may crash affected systems. The remediation changes the code to devm_clk_get() and adds IS_ERR() checks for both clock acquisitions.

Defensive priority

Medium to high for deployments that include the affected AMD audio hardware; low for systems that do not use this driver path.

Recommended defensive actions

• Verify whether your kernel branch includes the stable backport(s) referenced in the NVD record.
• Update affected kernels on AMD ACP3x + RT5682/MAX9836 systems to a build that contains the fix.
• Monitor affected devices for audio initialization failures, kernel warnings, or crashes after remediation.
• Track distro or OEM advisories for any additional backports specific to your release line.

Evidence notes

The supplied corpus includes the official CVE/NVD records plus kernel.org stable commit references, but no CVSS vector or full diff text. The debrief therefore stays limited to the documented flaw: missing clock-acquisition error checks that could lead to error-pointer dereference in kernel code.

Official resources