CVE-2026-46018
Analyzed Analyzed - Analysis Complete
USB Audio Driver Rate Parsing Buffer Overflow

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while probe still holds register_mutex. Stop the whole parse once the cap is reached and return the number of rates collected so far.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46018
EUVD
EUVD-2026-32399
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 3.0.81 (inc) to 3.1 (exc)
linux linux_kernel From 3.2.47 (inc) to 5.10.258 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ALSA usb-audio driver related to parsing USB Audio Class 2 (UAC2) sample rate ranges. The function parse_uac2_sample_rate_range() is supposed to limit the number of enumerated audio rates to a maximum defined by MAX_NR_RATES. However, due to improper handling, when a malformed UAC2 RANGE response contains more triplets than expected, the parsing continues beyond the limit, repeatedly printing "invalid uac2 rates" messages while holding a mutex lock.

The fix involves stopping the entire parsing process once the maximum number of rates is reached and returning the number of rates collected so far, preventing excessive parsing and potential issues caused by the malformed response.

Impact Analysis

This vulnerability can cause the Linux kernel's usb-audio driver to repeatedly parse invalid data while holding a mutex lock, which may lead to excessive logging and potential performance degradation or resource contention.

Because the parsing continues beyond the intended limit, it could potentially lead to denial of service conditions or instability in the audio subsystem when handling malformed USB audio devices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart