A defect in the Linux kernel’s ASoC subsystem for Qualcomm’s QDSP6 devices causes the code to skip a critical type check before reading private data from a widget. If the widget is a virtual or otherwise unassociated type, the kernel will access uninitialized or otherwise invalid memory. This can lead to a kernel crash or, if an attacker can influence the data, exploit the fault to gain elevated privileges. The weakness is related to improper validation of input leading to unchecked memory access, a common cause of denial‑of‑service or privilege‑escalation bugs.

All Linux kernel installations that include the ASoC architecture, Qualcomm QDSP6 drivers, and the topology subsystem are potentially affected. The issue resides in the generic Linux kernel, meaning any distribution shipping an affected kernel version could be vulnerable. Impacted components include the audio driver stack and any applications that trigger topology parsing through the kernel’s sound framework.

The vulnerability is not listed in the CISA KEV catalog and no EPSS score is available, indicating that public exploitation is not currently documented. The likelihood of exploitation is low unless a local attacker can access the audio subsystem with sufficient privileges. The bug could be leveraged as a local privilege escalation vector by inducing the kernel to read or write memory at an arbitrary address. However, no known remote exploitation path exists, and the impact is limited to systems running the affected kernel code.