CVE-2026-23208
Out-of-Bounds Write in Linux ALSA USB-Audio PCM Playback
Publication date: 2026-02-14
Last updated on: 2026-03-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 4.14.186 (inc) to 4.14.188 (exc) |
| linux | linux_kernel | From 4.19.130 (inc) to 4.19.132 (exc) |
| linux | linux_kernel | From 5.4.49 (inc) to 5.4.51 (exc) |
| linux | linux_kernel | From 5.7.6 (inc) to 5.7.8 (exc) |
| linux | linux_kernel | From 5.8 (inc) to 6.18.10 (exc) |
| linux | linux_kernel | 4.4.229 |
| linux | linux_kernel | 4.9.229 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's ALSA usb-audio component. It occurs when a user constructs parameters that cause the calculated number of audio frames to exceed the allocated buffer size for USB Request Blocks (URBs). Specifically, the number of frames calculated during a write operation to the ALSA PCM playback stream can be larger than the buffer size, leading to an out-of-bounds (OOB) memory access.
The issue arises because the buffer size is calculated as maxpacksize multiplied by the number of packets, but the number of frames is calculated differently, potentially exceeding this buffer size. This mismatch can cause memory corruption or crashes. The vulnerability was identified by syzbot and has been fixed by adding a check to prevent excessive frames in the URB.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory writes in the Linux kernel when handling USB audio data. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited.
Therefore, if an attacker can control the parameters used in the ALSA usb-audio subsystem, they might exploit this flaw to compromise system security or cause denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring kernel logs for out-of-bounds (OOB) errors related to ALSA USB audio playback streams. Specifically, look for KASAN slab-out-of-bounds errors in the sound/usb/pcm.c file during write operations.
You can check the kernel logs using commands such as:
- dmesg | grep -i 'slab-out-of-bounds'
- journalctl -k | grep -i 'copy_to_urb'
- journalctl -k | grep -i 'sound/usb/pcm.c'
These commands help identify if the system is experiencing the specific out-of-bounds write errors caused by the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the Linux kernel to a version where this vulnerability has been fixed. The fix includes added checks to prevent excessive frames in ALSA USB audio playback streams.
If updating the kernel is not immediately possible, consider disabling or restricting USB audio devices to prevent exploitation via crafted parameters that trigger the out-of-bounds condition.
Monitoring system logs for related errors can also help in early detection and response.