CVE-2026-31778
Buffer Overflow in Linux Kernel ALSA caiaq Driver
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | kernel | * |
| linux_kernel | alsa | From 2.6.31-rc1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack out-of-bounds read in the Linux kernel's ALSA caiaq driver during the initialization of a sound card.
The issue arises because a loop copies the card's shortname into a buffer without properly accounting for the null terminator, allowing the buffer to be completely filled with characters and overwriting the terminating null byte.
Later, when the non-null-terminated string is processed, the code reads past the end of the buffer, causing a stack out-of-bounds read.
This can be triggered by a USB device with a product name containing many non-ASCII, non-space characters, leading to a kernel bug report related to stack out-of-bounds reads.
The fix involved changing the loop boundary to leave space for the null terminator, preventing the out-of-bounds read.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to read memory beyond the intended buffer, potentially leading to system instability or crashes.
Since it involves reading out-of-bounds stack memory, it might expose sensitive information from the kernel stack, which could be exploited by attackers.
However, the description does not specify if this vulnerability can be used for privilege escalation or remote code execution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a stack out-of-bounds read in the ALSA caiaq driver when a USB device with a product name containing many non-ASCII, non-space characters is connected.
Detection can be done by monitoring kernel logs for specific BUG messages related to KASAN (Kernel Address Sanitizer) reports indicating stack out-of-bounds reads in the ALSA sound core.
- Check kernel logs for messages like: "BUG: KASAN: stack-out-of-bounds in copy_valid_id_string" or "BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock".
- Use the command: dmesg | grep -i 'KASAN.*stack-out-of-bounds'
- Monitor syslog or journalctl for similar error messages: journalctl -k | grep -i 'KASAN.*stack-out-of-bounds'
- Identify connected USB devices with suspicious product names containing many non-ASCII, non-space characters using: lsusb -v
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by changing the loop bound to ensure the string is properly null-terminated, preventing out-of-bounds reads.
Immediate mitigation steps include:
- Update the Linux kernel to a version that includes the fix for this vulnerability.
- Avoid connecting USB devices with product names containing many non-ASCII, non-space characters until the fix is applied.
- Monitor kernel logs for signs of exploitation or crashes related to this issue.