CVE-2025-68346
Unknown Unknown - Not Provided
Buffer Overflow in Linux ALSA dice Component via Unvalidated Stream Count

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: dice: fix buffer overflow in detect_stream_formats() The function detect_stream_formats() reads the stream_count value directly from a FireWire device without validating it. This can lead to out-of-bounds writes when a malicious device provides a stream_count value greater than MAX_STREAMS. Fix by applying the same validation to both TX and RX stream counts in detect_stream_formats().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68346
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a buffer overflow in the Linux kernel's ALSA dice driver, specifically in the detect_stream_formats() function. The function reads a stream_count value directly from a FireWire device without validating it. If a malicious device provides a stream_count value larger than the allowed maximum (MAX_STREAMS), it can cause out-of-bounds writes, leading to a buffer overflow.

Impact Analysis

The vulnerability can lead to out-of-bounds memory writes, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited by a malicious FireWire device.

Mitigation Strategies

Apply the patch or update to the Linux kernel version that includes the fix for the ALSA dice buffer overflow vulnerability in detect_stream_formats(). This fix validates the stream_count values from FireWire devices to prevent out-of-bounds writes. Until patched, avoid connecting untrusted FireWire devices to the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart