CVE-2026-23208
Unknown Unknown - Not Provided
Out-of-Bounds Write in Linux ALSA USB-Audio PCM Playback

Publication date: 2026-02-14

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23208
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 4.14.186 (inc) to 4.14.188 (exc)
linux linux_kernel From 4.19.130 (inc) to 4.19.132 (exc)
linux linux_kernel From 5.4.49 (inc) to 5.4.51 (exc)
linux linux_kernel From 5.7.6 (inc) to 5.7.8 (exc)
linux linux_kernel From 5.8 (inc) to 6.18.10 (exc)
linux linux_kernel 4.4.229
linux linux_kernel 4.9.229
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ALSA usb-audio component. It occurs when a user constructs parameters that cause the calculated number of audio frames to exceed the allocated buffer size for USB Request Blocks (URBs). Specifically, the number of frames calculated during a write operation to the ALSA PCM playback stream can be larger than the buffer size, leading to an out-of-bounds (OOB) memory access.

The issue arises because the buffer size is calculated as maxpacksize multiplied by the number of packets, but the number of frames is calculated differently, potentially exceeding this buffer size. This mismatch can cause memory corruption or crashes. The vulnerability was identified by syzbot and has been fixed by adding a check to prevent excessive frames in the URB.

Impact Analysis

This vulnerability can lead to out-of-bounds memory writes in the Linux kernel when handling USB audio data. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited.

Therefore, if an attacker can control the parameters used in the ALSA usb-audio subsystem, they might exploit this flaw to compromise system security or cause denial of service.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring kernel logs for out-of-bounds (OOB) errors related to ALSA USB audio playback streams. Specifically, look for KASAN slab-out-of-bounds errors in the sound/usb/pcm.c file during write operations.

You can check the kernel logs using commands such as:

  • dmesg | grep -i 'slab-out-of-bounds'
  • journalctl -k | grep -i 'copy_to_urb'
  • journalctl -k | grep -i 'sound/usb/pcm.c'

These commands help identify if the system is experiencing the specific out-of-bounds write errors caused by the vulnerability.

Mitigation Strategies

Immediate mitigation involves updating the Linux kernel to a version where this vulnerability has been fixed. The fix includes added checks to prevent excessive frames in ALSA USB audio playback streams.

If updating the kernel is not immediately possible, consider disabling or restricting USB audio devices to prevent exploitation via crafted parameters that trigger the out-of-bounds condition.

Monitoring system logs for related errors can also help in early detection and response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart