Impact
The flaw in the Linux kernel’s ASoC QDSP6 topology module causes the driver to read private data from a widget without first ensuring that the widget type is valid. If the widget is a virtual or otherwise unassociated type, the driver may access memory that has not been properly initialized or that does not belong to that structure. This incorrect type conversion or cast can result in a kernel read fault or memory corruption, which in turn may cause a kernel panic or other system instability.
Affected Systems
All Linux kernel installations that contain the ASoC QDSP6 topology code are potentially affected. No specific kernel versions are listed, so any distribution shipping a kernel that includes this subsystem could be vulnerable.
Risk and Exploitability
The CVSS score of 5.5 indicates moderate severity, and the EPSS score is reported as < 1%, meaning the likelihood of public exploitation is very low. The vulnerability is not listed in KEV. The flaw can be triggered by providing malformed topology data that reaches the driver; it is likely a local attack requiring some level of privilege to influence the audio subsystem. No direct evidence of privilege escalation is present, but the kernel memory corruption could lead to denial‑of‑service conditions.
OpenCVE Enrichment
Debian DLA