VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54233

CVE-2023-54233

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: avoid a NULL dereference with unsupported widgets

If an IPC4 topology contains an unsupported widget, its .module_info field won't be set, then sof_ipc4_route_setup() will cause a kernel Oops trying to dereference it. Add a check for such cases.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NULL dereference in Linux kernel ASoC SOF driver occurs when IPC4 topology includes an unsupported widget without .module_info field.

Vulnerability

Overview

The Linux kernel's ASoC SOF (Sound Open Firmware) subsystem contains a NULL pointer dereference vulnerability. The issue arises in sof_ipc4_route_setup() when processing an IPC4 topology that includes an unsupported widget. Such widgets lack a valid .module_info field, and the function attempts to dereference it without a prior check, leading to a kernel Oops.

Exploitation

Path

Exploitation requires the ability to load a crafted IPC4 topology into the SOF driver. This typically necessitates local access or the ability to trigger a firmware load with a malicious topology file. No authentication is needed beyond the ability to interact with the ALSA subsystem. The attack surface is limited to systems using the SOF driver with IPC4 support.

Impact

A successful exploit causes a kernel NULL pointer dereference, resulting in a denial of service (system crash or reboot). There is no evidence of privilege escalation or arbitrary code execution from this vulnerability.

Mitigation

The issue was fixed in the Linux kernel with commit e3720f92e023. Users should apply the patch from the stable kernel tree or update to a kernel version containing the fix [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
170818974e97
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e3720f92e023
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.