Description
In the Linux kernel, the following vulnerability has been resolved:

ASoC: wm_adsp: Fix NULL dereference when removing firmware controls

In wm_adsp_control_remove() check that the priv pointer is not NULL
before attempting to cleanup what it points to.

When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that
wm_adsp can create its own private control data. There are two cases
where private data is not created:

1. The control is a SYSTEM control, so an ALSA control is not created.

2. The codec driver has registered a control_add() callback that
hides the control, so wm_adsp_control_add() is not called.

When cs_dsp_remove destroys its control list it calls
wm_adsp_control_remove() for each control. But wm_adsp_control_remove()
was attempting to cleanup the private data pointed to by cs_ctl->priv
without checking the pointer for NULL.
Published: 2026-07-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a NULL pointer dereference (CWE‑476) in the wm_adsp control removal routine of the Linux kernel sound subsystem. When a firmware control without associated private data is removed, the driver attempts to free that data unconditionally. This triggers a kernel oops, which can lead to a system crash or reboot. The vulnerability does not expose configuration or user data but disrupts availability for the affected system.

Affected Systems

All builds of the Linux kernel that include the wm_adsp driver are potentially susceptible, as the issue exists in any kernel version before the commit that introduces the null check. Since the exact vulnerable version range is not specified, any kernel lacking the patch should be considered at risk.

Risk and Exploitability

The vulnerability requires an attacker to exercise control removal on the wm_adsp device, which normally necessitates local system access or a program capable of manipulating ALSA controls. The CVSS score of 5.5 indicates a moderate severity, and the attack vector is local, with no publicly disclosed exploitation or KEV listing. With no EPSS score, the theoretical exploitation probability is low to moderate; however, an affected kernel could still be forced into a crash if the attacker can trigger the buggy path.

Generated by OpenCVE AI on July 2, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that contains the commit adding the null check (e.g., 10def23b, 12e579b8, or later).
  • If a distribution kernel is not yet patched, backport the fix from the kernel repository into your current kernel tree and rebuild the module.
  • After applying the update, restart the system or reload the wm_adsp module to ensure the driver reinitializes correctly.

Generated by OpenCVE AI on July 2, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ASoC: wm_adsp: Fix NULL dereference when removing firmware controls In wm_adsp_control_remove() check that the priv pointer is not NULL before attempting to cleanup what it points to. When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that wm_adsp can create its own private control data. There are two cases where private data is not created: 1. The control is a SYSTEM control, so an ALSA control is not created. 2. The codec driver has registered a control_add() callback that hides the control, so wm_adsp_control_add() is not called. When cs_dsp_remove destroys its control list it calls wm_adsp_control_remove() for each control. But wm_adsp_control_remove() was attempting to cleanup the private data pointed to by cs_ctl->priv without checking the pointer for NULL.
Title ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T13:32:27.975Z

Reserved: 2026-06-09T07:44:35.399Z

Link: CVE-2026-53350

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-07-01T00:00:00Z

Links: CVE-2026-53350 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T13:45:02Z

Weaknesses