Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Prevent excessive number of frames

In this case, the user constructed the parameters with maxpacksize 40
for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer
size for each data URB is maxpacksize * packets, which in this example
is 40 * 6 = 240; When the user performs a write operation to send audio
data into the ALSA PCM playback stream, the calculated number of frames
is packsize[0] * packets = 264, which exceeds the allocated URB buffer
size, triggering the out-of-bounds (OOB) issue reported by syzbot [1].

Added a check for the number of single data URB frames when calculating
the number of frames to prevent [1].

[1]
BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487
Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506
Call Trace:
copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487
prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611
prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333
Published: 2026-02-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel out‑of‑bounds write that may lead to local privilege escalation
Action: Immediate Patch
AI Analysis

Impact

An out‑of‑bounds write in the ALSA USB audio driver occurs when a user sends audio data to the PCM playback stream with certain parameter combinations. The driver incorrectly calculates the number of frames, exceeding the allocated URB buffer size and writing beyond the bounds of kernel memory. This buffer overflow can corrupt critical kernel structures, potentially allowing a local attacker to execute arbitrary code or gain elevated privileges. The issue is identified as a CWE‑787.

Affected Systems

Kernel versions affected include those before the patch commit referenced in the kernel module updates. Specifically, versions 4.4.229, 4.9.229, and the 6.19 release candidates from RC1 to RC5 are known to contain the flaw. All Linux kernel installations that still use these or earlier releases without the applied fix are potentially vulnerable, regardless of vendor.

Risk and Exploitability

The CVSS score of 7.8 reflects a high severity, yet the EPSS rating of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local user with the ability to write to the ALSA PCM device, so the attack surface is limited to systems where audio drivers are exposed to untrusted users. When present, the kernel memory corruption could be leveraged for privilege escalation to root.

Generated by OpenCVE AI on April 17, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the ALSA USB audio driver fix (e.g., the latest stable release or backported patch).
  • Restrict access to the /dev/snd/* device nodes to trusted users only, denying audio write access to untrusted accounts.
  • If a patch is not immediately available, consider disabling or removing the ALSA USB audio subsystem from the kernel configuration to eliminate the attack vector.

Generated by OpenCVE AI on April 17, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:4.4.229:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.9.229:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Mon, 16 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
References

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333
Title ALSA: usb-audio: Prevent excessive number of frames
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-16T08:58:58.667Z

Reserved: 2026-01-13T15:37:45.986Z

Link: CVE-2026-23208

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T17:15:58.703

Modified: 2026-03-18T20:49:35.557

Link: CVE-2026-23208

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23208 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:30:15Z

Weaknesses