CVE-2026-31778
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Linux Kernel ALSA caiaq Driver

Publication date: 2026-05-01

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix stack out-of-bounds read in init_card The loop creates a whitespace-stripped copy of the card shortname where `len < sizeof(card->id)` is used for the bounds check. Since sizeof(card->id) is 16 and the local id buffer is also 16 bytes, writing 16 non-space characters fills the entire buffer, overwriting the terminating nullbyte. When this non-null-terminated string is later passed to snd_card_set_id() -> copy_valid_id_string(), the function scans forward with `while (*nid && ...)` and reads past the end of the stack buffer, reading the contents of the stack. A USB device with a product name containing many non-ASCII, non-space characters (e.g. multibyte UTF-8) will reliably trigger this as follows: BUG: KASAN: stack-out-of-bounds in copy_valid_id_string sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c sound/core/init.c:718 The off-by-one has been present since commit bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1), which first introduced this whitespace-stripping loop. The original code never accounted for the null terminator when bounding the copy. Fix this by changing the loop bound to `sizeof(card->id) - 1`, ensuring at least one byte remains as the null terminator.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31778
EUVD
EUVD-2026-26591
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 2.6.31 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stack out-of-bounds read in the Linux kernel's ALSA caiaq driver during the initialization of a sound card.

The issue arises because a loop copies the card's shortname into a buffer without properly accounting for the null terminator, allowing the buffer to be completely filled with characters and overwriting the terminating null byte.

Later, when the non-null-terminated string is processed, the code reads past the end of the buffer, causing a stack out-of-bounds read.

This can be triggered by a USB device with a product name containing many non-ASCII, non-space characters, leading to a kernel bug report related to stack out-of-bounds reads.

The fix involved changing the loop boundary to leave space for the null terminator, preventing the out-of-bounds read.

Impact Analysis

This vulnerability can cause the Linux kernel to read memory beyond the intended buffer, potentially leading to system instability or crashes.

Since it involves reading out-of-bounds stack memory, it might expose sensitive information from the kernel stack, which could be exploited by attackers.

However, the description does not specify if this vulnerability can be used for privilege escalation or remote code execution.

Detection Guidance

This vulnerability manifests as a stack out-of-bounds read in the ALSA caiaq driver when a USB device with a product name containing many non-ASCII, non-space characters is connected.

Detection can be done by monitoring kernel logs for specific BUG messages related to KASAN (Kernel Address Sanitizer) reports indicating stack out-of-bounds reads in the ALSA sound core.

  • Check kernel logs for messages like: "BUG: KASAN: stack-out-of-bounds in copy_valid_id_string" or "BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock".
  • Use the command: dmesg | grep -i 'KASAN.*stack-out-of-bounds'
  • Monitor syslog or journalctl for similar error messages: journalctl -k | grep -i 'KASAN.*stack-out-of-bounds'
  • Identify connected USB devices with suspicious product names containing many non-ASCII, non-space characters using: lsusb -v
Mitigation Strategies

The vulnerability is fixed by changing the loop bound to ensure the string is properly null-terminated, preventing out-of-bounds reads.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid connecting USB devices with product names containing many non-ASCII, non-space characters until the fix is applied.
  • Monitor kernel logs for signs of exploitation or crashes related to this issue.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart