Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: fix stack out-of-bounds read in init_card

The loop creates a whitespace-stripped copy of the card shortname
where `len < sizeof(card->id)` is used for the bounds check. Since
sizeof(card->id) is 16 and the local id buffer is also 16 bytes,
writing 16 non-space characters fills the entire buffer,
overwriting the terminating nullbyte.

When this non-null-terminated string is later passed to
snd_card_set_id() -> copy_valid_id_string(), the function scans
forward with `while (*nid && ...)` and reads past the end of the
stack buffer, reading the contents of the stack.

A USB device with a product name containing many non-ASCII, non-space
characters (e.g. multibyte UTF-8) will reliably trigger this as follows:

BUG: KASAN: stack-out-of-bounds in copy_valid_id_string
sound/core/init.c:696 [inline]
BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c
sound/core/init.c:718

The off-by-one has been present since commit bafeee5b1f8d ("ALSA:
snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),
which first introduced this whitespace-stripping loop. The original
code never accounted for the null terminator when bounding the copy.

Fix this by changing the loop bound to `sizeof(card->id) - 1`,
ensuring at least one byte remains as the null terminator.
Published: 2026-05-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack out‑of‑bounds read caused by an off‑by‑one error while copying an ALSA device shortname into a fixed 16‑byte buffer. The bug allows kernel code to read past the end of the local stack buffer when processing a long or multibyte USB product name, exposing arbitrary stack contents to a local attacker. The exposed data may contain sensitive kernel information that could assist in further exploitation attempts.

Affected Systems

All Linux kernel releases that precede the commit applying the fix are vulnerable. The CVE references and CPE entries show the issue affecting the kernel broadly, including the 7.0 release candidates rc1 through rc6 and earlier kernel versions back to 2.6.31‑rc1. Any system running such a kernel and capable of enumerating USB audio devices with long product names is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, and the EPSS score of < 1% signifies a very low probability of exploitation. There are no known public exploits and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves manually connecting a crafted USB audio device to trigger the out‑of‑bounds read, which would result in a kernel fault or an information leak. Because the read is confined to kernel memory, remote code execution is not directly achievable without additional privilege‑escalation techniques.

Generated by OpenCVE AI on May 11, 2026 at 23:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the commit fixing the ALSA caiaq stack read bug.
  • If a kernel upgrade is not immediately possible, disable automatic enumeration of USB audio devices or remove offending devices to stop the fault from occurring.
  • Monitor kernel logs for KASAN stack traces, which indicate that the defect is still present or has been triggered on the system.

Generated by OpenCVE AI on May 11, 2026 at 23:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-20

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Sat, 02 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-170
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 02 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-193
CWE-20

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix stack out-of-bounds read in init_card The loop creates a whitespace-stripped copy of the card shortname where `len < sizeof(card->id)` is used for the bounds check. Since sizeof(card->id) is 16 and the local id buffer is also 16 bytes, writing 16 non-space characters fills the entire buffer, overwriting the terminating nullbyte. When this non-null-terminated string is later passed to snd_card_set_id() -> copy_valid_id_string(), the function scans forward with `while (*nid && ...)` and reads past the end of the stack buffer, reading the contents of the stack. A USB device with a product name containing many non-ASCII, non-space characters (e.g. multibyte UTF-8) will reliably trigger this as follows: BUG: KASAN: stack-out-of-bounds in copy_valid_id_string sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c sound/core/init.c:718 The off-by-one has been present since commit bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1), which first introduced this whitespace-stripping loop. The original code never accounted for the null terminator when bounding the copy. Fix this by changing the loop bound to `sizeof(card->id) - 1`, ensuring at least one byte remains as the null terminator.
Title ALSA: caiaq: fix stack out-of-bounds read in init_card
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:37.687Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31778

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:41.190

Modified: 2026-05-11T18:05:22.347

Link: CVE-2026-31778

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31778 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses