CVE-2025-68346
Buffer Overflow in Linux ALSA dice Component via Unvalidated Stream Count
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Apply the patch or update to the Linux kernel version that includes the fix for the ALSA dice buffer overflow vulnerability in detect_stream_formats(). This fix validates the stream_count values from FireWire devices to prevent out-of-bounds writes. Until patched, avoid connecting untrusted FireWire devices to the system.
Can you explain this vulnerability to me?
This vulnerability is a buffer overflow in the Linux kernel's ALSA dice driver, specifically in the detect_stream_formats() function. The function reads a stream_count value directly from a FireWire device without validating it. If a malicious device provides a stream_count value larger than the allowed maximum (MAX_STREAMS), it can cause out-of-bounds writes, leading to a buffer overflow.
How can this vulnerability impact me? :
The vulnerability can lead to out-of-bounds memory writes, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited by a malicious FireWire device.