Description
alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.
Published: 2026-01-29
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via heap overflow
Action: Apply Patch
AI Analysis

Impact

In alsa-lib versions 1.2.2 through 1.2.15.2, the topology mixer control decoder reads a channel count field from an untrusted .tplg file and uses it as a loop bound without validating it against the library’s fixed-size channel array. This missing bounds check leads to a heap‑based buffer overflow that can overwrite adjacent memory and crash the process. The vulnerability causes loss of service because it terminates the ALSA control daemon. It does not provide an attacker with privilege escalation or remote code execution.

Affected Systems

ALSA Project alsa-lib, versions 1.2.2 to and including 1.2.15.2. The issue was fixed in commit 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 and any releases derived from that commit.

Risk and Exploitability

The CVSS score of 4.6 reflects moderate severity; the EPSS score of < 1 % indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a crafted topology file that is processed by the ALSA control subsystem, typically via local user actions or by compromising a process that loads custom topology data. The absence of network‑exposed triggers means the attack vector is local and dependent on file handling privileges.

Generated by OpenCVE AI on April 16, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched version of alsa-lib (1.2.15.3 or later, which incorporates commit 5f7fe33).
  • Until a patch is available, delete or rename any custom or untrusted .tplg files from locations such as /usr/share/alsa, /etc/alsa, or user‑specific directories, preventing the decoder from processing them.
  • Apply strict file permissions on all topology files so that only trusted users or processes can create or modify them, thereby limiting the ability of an attacker to supply a malicious topology.

Generated by OpenCVE AI on April 16, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4469-1 alsa-lib security update
Ubuntu USN Ubuntu USN USN-8044-1 alsa-lib vulnerability
History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alsa-project:alsa-lib:*:*:*:*:*:*:*:*

Fri, 06 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
References

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Alsa-project
Alsa-project alsa-lib
Vendors & Products Alsa-project
Alsa-project alsa-lib

Fri, 30 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Thu, 29 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Description alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.
Title alsa-lib 1.2.15.2 Topology Decoder Heap-based Buffer Overflow
Weaknesses CWE-129
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Alsa-project Alsa-lib
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:43.117Z

Reserved: 2026-01-28T21:47:35.120Z

Link: CVE-2026-25068

cve-icon Vulnrichment

Updated: 2026-02-06T00:15:45.511Z

cve-icon NVD

Status : Deferred

Published: 2026-01-29T20:16:10.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25068

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-29T19:08:03Z

Links: CVE-2026-25068 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses