CVE-2026-23006 - Vulnerability Details

- ASoC: tlv320adcx140: fix null pointer

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: tlv320adcx140: fix null pointer

The "snd_soc_component" in "adcx140_priv" was only used once but never
set. It was only used for reaching "dev" which is already present in
"adcx140_priv".

Published: 2026-01-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null pointer dereference was discovered in the Advanced Linux Sound Architecture (ALSA) driver for the TLV320ADCX140 audio codec. The driver incorrectly accessed a component pointer that was never initialized, which could cause the kernel to dereference a null pointer and panic. This vulnerability produces a system crash and results in an outage of the affected machine.

Affected Systems

The flaw is present in the Linux kernel across all 6.1 releases and in the 6.19 development releases up to and including 6.19 rc8. Any system running these kernel versions and using the ALSA driver for the TLV320ADCX140 codec is vulnerable. The issue is not specific to a particular vendor but affects all builds of the Linux kernel that include the affected source code.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. The EPSS score of less than 1% reflects a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Because this condition occurs during kernel initialization and requires the compromised device to load or use the affected driver, an attacker would need local or kernel‑level privileges. Therefore the primary impact is a denial‑of‑service scenario rather than remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4e82971f7b556cff3491c867e8840e7d788693b9`	affected	< 954260a32c21d5072d8e7253c0a8b1627927cb02
`4e82971f7b556cff3491c867e8840e7d788693b9`	affected	< 659939d08e5f7bc17b941c53e8c9c0a6c6113b21
`4e82971f7b556cff3491c867e8840e7d788693b9`	affected	< 61757f5191daab863d25f03680e912b5449a1eed
`4e82971f7b556cff3491c867e8840e7d788693b9`	affected	< 53bd838ed5950cb18927e4b2e8ee841b7cb10929
`4e82971f7b556cff3491c867e8840e7d788693b9`	affected	< be7664c81d3129fc313ef62ff275fd3d33cfecd4

Linux

affected

Version	Status	Constraints
`6.1`	affected	—
`0`	unaffected	< 6.1
`6.1.162`	unaffected	≤ 6.1.*
`6.6.122`	unaffected	≤ 6.6.*
`6.12.67`	unaffected	≤ 6.12.*
`6.18.7`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.1:-::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that includes the patch for the TLV320ADCX140 null pointer fix
Verify that the kernel version in use is at least 6.1 or the corresponding 6.19 release that contains the bug fix
If upgrading the kernel is not immediately possible, restrict access to the device or disable the TLV320ADCX140 codec from the system configuration until the patch is applied

Generated by OpenCVE AI on April 18, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6126-1	linux security update
Debian DSA	DSA-6127-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929
https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed
https://git.kernel.org/stable/c/659939d08e5f7bc17b941c53e8c9c0a6c6113b21
https://git.kernel.org/stable/c/954260a32c21d5072d8e7253c0a8b1627927cb02
https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4
https://lore.kernel.org/linux-cve-announce/2026012536-CVE-2026-23006-241b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23006
https://www.cve.org/CVERecord?id=CVE-2026-23006

History

Wed, 25 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc8:::::: cpe:2.3:o:linux:linux_kernel:6.1:-::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 06 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/954260a32c21d5072d8e7253c0a8b1627927cb02

Fri, 30 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/659939d08e5f7bc17b941c53e8c9c0a6c6113b21

Mon, 26 Jan 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026012536-CVE-2026-23006-241b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23006 https://www.cve.org/CVERecord?id=CVE-2026-23006

Sun, 25 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv".
Title		ASoC: tlv320adcx140: fix null pointer
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929 https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-01-25T14:36:19.819Z

Updated: 2026-02-09T08:36:58.851Z

Reserved: 2026-01-13T15:37:45.939Z

Link: CVE-2026-23006

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-01-25T15:15:55.480

Modified: 2026-03-25T19:21:56.440

Link: CVE-2026-23006

Redhat

Severity :

Publid Date: 2026-01-25T00:00:00Z

Links: CVE-2026-23006 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object