CVE-2026-46088
Awaiting Analysis Awaiting Analysis - Queue
Linux Kernel Buffer Overflow in ALSA Control

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46088
EUVD
EUVD-2026-32471
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ALSA control component, specifically in the function snd_ctl_elem_init_enum_names(). The function processes a buffer of names by advancing a pointer through it while decrementing a length counter (buf_len). If buf_len reaches zero but there are still items to process, the function calls strnlen() with a length of zero. Normally, strnlen(p, 0) returns 0 and triggers an error path. However, when CONFIG_FORTIFY_SOURCE is enabled, the fortified version of strnlen() performs an additional check on the maximum length against the dynamic object size. Due to Clang losing track of the pointer's object size inside the loop, this check causes a BRK exception panic before the return value is used. The fix involves adding a guard to prevent calling strnlen() when buf_len is zero, avoiding the panic.

Impact Analysis

This vulnerability can cause a kernel panic (system crash) due to a BRK exception triggered by the fortified strnlen() function when it is called incorrectly with a zero length. This can lead to denial of service on affected Linux systems, potentially causing unexpected reboots or system instability.

Mitigation Strategies

The vulnerability in the Linux kernel ALSA control can be mitigated by applying the patch that adds a buf_len == 0 guard at the loop entry in snd_ctl_elem_init_enum_names().

This patch prevents calling fortified strnlen() on an exhausted buffer, which avoids the BRK exception panic.

Therefore, the immediate step is to update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46088. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart