CVE-2026-53350 Overview
CVE-2026-53350 is a NULL pointer dereference vulnerability in the Linux kernel's ASoC (ALSA System on Chip) subsystem, specifically in the wm_adsp driver used for Wolfson/Cirrus Logic audio DSP firmware controls. The flaw resides in wm_adsp_control_remove(), which attempted to clean up private control data via cs_ctl->priv without first verifying that the pointer was non-NULL. When firmware controls are removed and no private data was allocated, the kernel dereferences a NULL pointer and crashes.
Critical Impact
A NULL pointer dereference during firmware control teardown can trigger a kernel oops, resulting in denial of service on affected audio subsystems.
Affected Products
- Linux kernel builds including the wm_adsp ASoC driver
- Systems using cs_dsp-based firmware controls where SYSTEM controls are registered
- Codec drivers registering a control_add() callback that hides controls from wm_adsp_control_add()
Discovery Timeline
- 2026-07-01 - CVE-2026-53350 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-53350
Vulnerability Analysis
The vulnerability is a NULL pointer dereference [CWE-476] in the Linux kernel ASoC wm_adsp driver. When cs_dsp creates a control, it invokes wm_adsp_control_add_cb() so that wm_adsp can attach its own private control data. Two conditions cause the private data to remain unallocated: the control is a SYSTEM control that does not produce an ALSA control, or the codec driver has registered a control_add() callback that hides the control and prevents wm_adsp_control_add() from being called.
When cs_dsp_remove tears down its control list, it calls wm_adsp_control_remove() for every control. The function then attempts to free resources referenced by cs_ctl->priv without checking whether the pointer is NULL, resulting in a kernel-mode NULL dereference and crash.
Root Cause
The root cause is missing input validation in wm_adsp_control_remove(). The function assumes cs_ctl->priv is always populated, but two legitimate code paths leave it unset. The fix adds a NULL check on priv before proceeding with cleanup.
Attack Vector
Triggering the flaw requires firmware control teardown to occur on a cs_dsp instance where at least one control had no private data attached. This is a local, code-path condition typically reached during driver removal or firmware reload, not through remote input. The impact is availability loss via kernel oops on the affected audio subsystem.
No verified exploit code is publicly available. Refer to the upstream commits for the technical fix.
Detection Methods for CVE-2026-53350
Indicators of Compromise
- Kernel oops messages referencing wm_adsp_control_remove in dmesg or journalctl -k output
- Unexpected crashes or module unload failures involving the snd_soc_wm_adsp module
- System instability correlated with audio driver reload, suspend/resume, or firmware reload events
Detection Strategies
- Monitor kernel ring buffer output for NULL pointer dereference traces originating in ASoC or cs_dsp code paths
- Compare installed kernel versions against the fixed commits published on kernel.org stable branches
- Track vendor kernel advisories for backports affecting the wm_adsp driver
Monitoring Recommendations
- Ingest /var/log/kern.log and journald kernel messages into centralized logging for pattern matching on oops signatures
- Alert on repeated kernel crashes on endpoints or embedded devices that use Cirrus Logic/Wolfson audio DSPs
- Track kernel package versions across the fleet and flag hosts running unpatched builds
How to Mitigate CVE-2026-53350
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable tree commits 10def23, 12e579b, 2f1be28, 5ee9bbe, 6effd6f, and 7d3fb78
- Rebuild or update distribution kernel packages to versions that incorporate the fix
- Reboot affected systems after patching to load the corrected kernel image
Patch Information
The fix modifies wm_adsp_control_remove() to check that cs_ctl->priv is non-NULL before dereferencing it for cleanup. Patch commits are available in the mainline and stable branches: Kernel Git Commit 10def23, Kernel Git Commit 12e579b, Kernel Git Commit 2f1be28, Kernel Git Commit 5ee9bbe, Kernel Git Commit 6effd6f, and Kernel Git Commit 7d3fb78.
Workarounds
- Avoid unloading or reloading the snd_soc_wm_adsp module on unpatched systems
- Disable firmware reload operations on affected audio codecs until the patched kernel is deployed
- On systems where audio DSP functionality is not required, blacklist the wm_adsp module
# Verify installed kernel version and check for the fix
uname -r
grep -r "wm_adsp_control_remove" /usr/src/linux-$(uname -r)/sound/soc/codecs/ 2>/dev/null
# Blacklist the module as a temporary workaround
echo "blacklist snd_soc_wm_adsp" | sudo tee /etc/modprobe.d/blacklist-wm_adsp.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

