Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: ctxfi: Limit PTP to a single page

Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256
playback streams, but the additional pages are not used by the card
correctly. The CT20K2 hardware already has multiple VMEM_PTPAL
registers, but using them separately would require refactoring the
entire virtual memory allocation logic.

ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of
CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When
aggregate memory allocations exceed this limit, ct_vm_map() tries to
access beyond the allocated space and causes a page fault:

BUG: unable to handle page fault for address: ffffd4ae8a10a000
Oops: Oops: 0002 [#1] SMP PTI
RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]
Call Trace:
atc_pcm_playback_prepare+0x225/0x3b0
ct_pcm_playback_prepare+0x38/0x60
snd_pcm_do_prepare+0x2f/0x50
snd_pcm_action_single+0x36/0x90
snd_pcm_action_nonatomic+0xbf/0xd0
snd_pcm_ioctl+0x28/0x40
__x64_sys_ioctl+0x97/0xe0
do_syscall_64+0x81/0x610
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count
remain unchanged.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ALSA ctxfi driver incorrectly permits the use of up to four Page Table Pages (PTPs) while the hardware only supports a single PTP. ct_vm_map() always walks through the first PTP, which means that if more than 512 PTEs (2 MiB on AMD64) are needed, the function accesses memory beyond the allocated page. This out‑of‑bounds read causes a kernel page fault and triggers a BUG, resulting in a kernel panic. The flaw leads to a denial of service and is classified as a memory corruption weakness (CWE‑788).

Affected Systems

Linux kernels that include the 391e69143d0a commit, which increased CT_PTP_NUM from 1 to 4, are affected. This includes any recent kernel releases that shipped the change without the subsequent revert. Systems that use the CT20K2 audio controller—or similar hardware that relies on the ctxfi driver—may trigger the fault when an audio operation requires more than the allocated page. The vulnerability therefore targets host kernel memory on AMD64 platforms.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of <1 % shows that current exploitation is unlikely. The flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a local privileged user who can issue audio requests that consume memory beyond the single‑page limit, causing the kernel to panic. For administrators, the risk is moderate: high impact if executed, but low likelihood of exploitation at present.

Generated by OpenCVE AI on April 30, 2026 at 04:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version where CT_PTP_NUM has been reverted to 1, ensuring the driver does not allocate multiple PTPs.
  • If a patched kernel is not available, apply a source patch to the ALSA ctxfi driver that sets CT_PTP_NUM back to 1 or otherwise limits allocations to a single page.
  • Enable kernel crash dumps and monitor audit logs for BUG or Oops messages involving snd_ctxfi, and roll back or restrict the offending audio hardware until a formal fix is installed.

Generated by OpenCVE AI on April 30, 2026 at 04:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 29 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Limit PTP to a single page Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the additional pages are not used by the card correctly. The CT20K2 hardware already has multiple VMEM_PTPAL registers, but using them separately would require refactoring the entire virtual memory allocation logic. ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When aggregate memory allocations exceed this limit, ct_vm_map() tries to access beyond the allocated space and causes a page fault: BUG: unable to handle page fault for address: ffffd4ae8a10a000 Oops: Oops: 0002 [#1] SMP PTI RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] Call Trace: atc_pcm_playback_prepare+0x225/0x3b0 ct_pcm_playback_prepare+0x38/0x60 snd_pcm_do_prepare+0x2f/0x50 snd_pcm_action_single+0x36/0x90 snd_pcm_action_nonatomic+0xbf/0xd0 snd_pcm_ioctl+0x28/0x40 __x64_sys_ioctl+0x97/0xe0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count remain unchanged.
Title ALSA: ctxfi: Limit PTP to a single page
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:57.946Z

Reserved: 2026-03-09T15:48:24.121Z

Link: CVE-2026-31602

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:39.263

Modified: 2026-04-29T20:16:49.660

Link: CVE-2026-31602

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31602 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:15:26Z

Weaknesses