Description
In the Linux kernel, the following vulnerability has been resolved:

ASoC: qcom: qdsp6: topology: check widget type before accessing data

Check widget type before accessing the private data, as this could a
virtual widget which is no associated with a dsp graph, container and
module. Accessing witout check could lead to incorrect memory access.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in the Linux kernel’s ASoC QDSP6 topology module causes the driver to read private data from a widget without first ensuring that the widget type is valid. If the widget is a virtual or otherwise unassociated type, the driver may access memory that has not been properly initialized or that does not belong to that structure. This incorrect type conversion or cast can result in a kernel read fault or memory corruption, which in turn may cause a kernel panic or other system instability.

Affected Systems

All Linux kernel installations that contain the ASoC QDSP6 topology code are potentially affected. No specific kernel versions are listed, so any distribution shipping a kernel that includes this subsystem could be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score is reported as < 1%, meaning the likelihood of public exploitation is very low. The vulnerability is not listed in KEV. The flaw can be triggered by providing malformed topology data that reaches the driver; it is likely a local attack requiring some level of privilege to influence the audio subsystem. No direct evidence of privilege escalation is present, but the kernel memory corruption could lead to denial‑of‑service conditions.

Generated by OpenCVE AI on June 27, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that incorporates the widget‑type validation fix in the ASoC QDSP6 topology code.
  • If a kernel update is unavailable, disable the QDSP6 topology features or blacklist the associated modules to prevent the vulnerable code from executing.
  • Enable kernel crash dumps and configure alerts for abnormal kernel panics that may indicate exploitation attempts.

Generated by OpenCVE AI on June 27, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sat, 27 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: topology: check widget type before accessing data Check widget type before accessing the private data, as this could a virtual widget which is no associated with a dsp graph, container and module. Accessing witout check could lead to incorrect memory access.
Title ASoC: qcom: qdsp6: topology: check widget type before accessing data
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:58.030Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53052

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53052 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T06:00:12Z

Weaknesses
  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')