CVE-2026-31778 - Vulnerability Details

- ALSA: caiaq: fix stack out-of-bounds read in init_card

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: fix stack out-of-bounds read in init_card

The loop creates a whitespace-stripped copy of the card shortname
where `len < sizeof(card->id)` is used for the bounds check. Since
sizeof(card->id) is 16 and the local id buffer is also 16 bytes,
writing 16 non-space characters fills the entire buffer,
overwriting the terminating nullbyte.

When this non-null-terminated string is later passed to
snd_card_set_id() -> copy_valid_id_string(), the function scans
forward with `while (*nid && ...)` and reads past the end of the
stack buffer, reading the contents of the stack.

A USB device with a product name containing many non-ASCII, non-space
characters (e.g. multibyte UTF-8) will reliably trigger this as follows:

BUG: KASAN: stack-out-of-bounds in copy_valid_id_string
sound/core/init.c:696 [inline]
BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c
sound/core/init.c:718

The off-by-one has been present since commit bafeee5b1f8d ("ALSA:
snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),
which first introduced this whitespace-stripping loop. The original
code never accounted for the null terminator when bounding the copy.

Fix this by changing the loop bound to `sizeof(card->id) - 1`,
ensuring at least one byte remains as the null terminator.

Published: 2026-05-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stack out‑of‑bounds read caused by an off‑by‑one error while copying an ALSA device shortname into a fixed 16‑byte buffer. The bug allows the kernel code to read past the end of the local stack buffer when processing a long or multibyte USB product name, exposing arbitrary stack contents to a local attacker. The exposed data may contain sensitive kernel information that could assist in further exploitation attempts.

Affected Systems

All Linux kernel versions that shipped before the fix were vulnerable, including the 2.6.31 series and the 3.x, 4.x, and 5.x release lines. The bug has been present since a 2009 commit and was only corrected in a later kernel release. Any system running an unpatched kernel that can enumerate USB audio devices with long product names is at risk.

Risk and Exploitability

The CVSS score is not publicly available, and the EPSS score is not listed, indicating low current exploitation probability. There are no known public exploits and the vulnerability is not included in the CISA KEV catalog. The likely attack vector involves manually connecting a crafted USB audio device to trigger the out‑of‑bounds read, which would result in a kernel fault or an information leak. Because the read is confined to kernel memory, remote code execution is not directly achievable without additional privilege‑escalation techniques.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a`	affected	< 02d9c5b0b5553a391448b6d655262bd829f90234
`bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a`	affected	< 3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6
`bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a`	affected	< 66194c2575a4f567577ae70b1d7561163ce791a6
`bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a`	affected	< a82c1bce2d1299dd3c686a8fe48cf75b79a403c7
`bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a`	affected	< 3178b62e2e31bab39f63d4c8e54bf4ee0a425627
`bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a`	affected	< 3afa2e67f3523a980a2f90fd63c22322ac2b9ce0
`bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a`	affected	< 7594a6464873d90fd229e5b94cdd3b92c9feabed
`bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a`	affected	< 45424e871abf2a152e247a9cff78359f18dd95c0

Linux

affected

Version	Status	Constraints
`2.6.31`	affected	—
`0`	unaffected	< 2.6.31
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a,02d9c5b0b5553a391448b6d655262bd829f90234)`	affected	code_commit	—
`[bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a,3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6)`	affected	code_commit	—
`[bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a,66194c2575a4f567577ae70b1d7561163ce791a6)`	affected	code_commit	—
`[bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a,a82c1bce2d1299dd3c686a8fe48cf75b79a403c7)`	affected	code_commit	—
`[bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a,3178b62e2e31bab39f63d4c8e54bf4ee0a425627)`	affected	code_commit	—
`[bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a,3afa2e67f3523a980a2f90fd63c22322ac2b9ce0)`	affected	code_commit	—
`[bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a,7594a6464873d90fd229e5b94cdd3b92c9feabed)`	affected	code_commit	—
`[bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a,45424e871abf2a152e247a9cff78359f18dd95c0)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.31`	affected	semver	—
`[0,2.6.31)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the commit fixing the ALSA caiaq stack read bug.
If a kernel upgrade is not immediately possible, disable automatic enumeration of USB audio devices or remove offending devices to stop the fault from occurring.
Monitor kernel logs for KASAN stack traces, which indicate that the defect is still present or triggered on the system.

Generated by OpenCVE AI on May 2, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/02d9c5b0b5553a391448b6d655262bd829f90234
https://git.kernel.org/stable/c/3178b62e2e31bab39f63d4c8e54bf4ee0a425627
https://git.kernel.org/stable/c/3afa2e67f3523a980a2f90fd63c22322ac2b9ce0
https://git.kernel.org/stable/c/3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6
https://git.kernel.org/stable/c/45424e871abf2a152e247a9cff78359f18dd95c0
https://git.kernel.org/stable/c/66194c2575a4f567577ae70b1d7561163ce791a6
https://git.kernel.org/stable/c/7594a6464873d90fd229e5b94cdd3b92c9feabed
https://git.kernel.org/stable/c/a82c1bce2d1299dd3c686a8fe48cf75b79a403c7

History

Sat, 02 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-193 CWE-20

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix stack out-of-bounds read in init_card The loop creates a whitespace-stripped copy of the card shortname where `len < sizeof(card->id)` is used for the bounds check. Since sizeof(card->id) is 16 and the local id buffer is also 16 bytes, writing 16 non-space characters fills the entire buffer, overwriting the terminating nullbyte. When this non-null-terminated string is later passed to snd_card_set_id() -> copy_valid_id_string(), the function scans forward with `while (*nid && ...)` and reads past the end of the stack buffer, reading the contents of the stack. A USB device with a product name containing many non-ASCII, non-space characters (e.g. multibyte UTF-8) will reliably trigger this as follows: BUG: KASAN: stack-out-of-bounds in copy_valid_id_string sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c sound/core/init.c:718 The off-by-one has been present since commit bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1), which first introduced this whitespace-stripping loop. The original code never accounted for the null terminator when bounding the copy. Fix this by changing the loop bound to `sizeof(card->id) - 1`, ensuring at least one byte remains as the null terminator.
Title		ALSA: caiaq: fix stack out-of-bounds read in init_card
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/02d9c5b0b5553a391448b6d655262bd829f90234 https://git.kernel.org/stable/c/3178b62e2e31bab39f63d4c8e54bf4ee0a425627 https://git.kernel.org/stable/c/3afa2e67f3523a980a2f90fd63c22322ac2b9ce0 https://git.kernel.org/stable/c/3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6 https://git.kernel.org/stable/c/45424e871abf2a152e247a9cff78359f18dd95c0 https://git.kernel.org/stable/c/66194c2575a4f567577ae70b1d7561163ce791a6 https://git.kernel.org/stable/c/7594a6464873d90fd229e5b94cdd3b92c9feabed https://git.kernel.org/stable/c/a82c1bce2d1299dd3c686a8fe48cf75b79a403c7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:05.804Z

Updated: 2026-05-01T14:15:05.804Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31778

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:41.190

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31778

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T07:30:36Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object