Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Add sanity check for OOB writes at silencing

At silencing the playback URB packets in the implicit fb mode before
the actual playback, we blindly assume that the received packets fit
with the buffer size. But when the setup in the capture stream
differs from the playback stream (e.g. due to the USB core limitation
of max packet size), such an inconsistency may lead to OOB writes to
the buffer, resulting in a crash.

For addressing it, add a sanity check of the transfer buffer size at
prepare_silent_urb(), and stop the data copy if the received data
overflows. Also, report back the transfer error properly from there,
too.

Note that this doesn't fix the root cause of the playback error
itself, but this merely covers the kernel Oops.
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in ALSA’s usb‑audio driver allows the kernel to copy data from a USB packet into a playback buffer without checking that the packet size matches the expected buffer length. When the size of a capture stream packet differs from the playback stream, the driver writes past the end of the buffer, triggering a kernel Oops. This results in a crash of the operating system, allowing an attacker to disrupt service. The vulnerability is a classic out‑of‑bounds write and can be exploited by supplying malformed USB audio data to the system.

Affected Systems

The bug exists in the Linux kernel’s ALSA usb‑audio subsystem. No vendor or product name is more specific than Linux kernel, and the affected versions are not listed in the data provided. All kernel releases that compile any of the exposed usb‑audio functions prior to the fix are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the impact of a kernel crash is severe, leading to denial of service. The EPSS score of < 1% suggests a low probability that this exploit is widely used, and the flaw is not listed in CISA’s KEV catalog, indicating no known public exploits. Because the vulnerability is triggered by malformed USB packets, an attacker with physical or any USB access to the target device can directly cause the fault. The risk is high for devices that accept USB audio input—especially unattended servers or embedded systems—while for systems without exposed USB audio support the risk is lower. The lack of a public exploit at present does not remove the need for remediation, as the ability to crash a kernel is sufficient to damage availability and may serve as a foothold for further compromise if privilege escalation is found elsewhere.

Generated by OpenCVE AI on May 8, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the patch for the usb‑audio OOB write fix (commit references in the provided kernel URLs).
  • Reboot the system or reload the ALSA module to ensure the updated code is in memory.
  • If an immediate kernel update is not possible, unload or disable the ALSA usb‑audio module (e.g., by adding “options snd_usb no_card=1” or simply setting the module to ‘blacklist’) to prevent USB audio devices from being processed.

Generated by OpenCVE AI on May 8, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the buffer size. But when the setup in the capture stream differs from the playback stream (e.g. due to the USB core limitation of max packet size), such an inconsistency may lead to OOB writes to the buffer, resulting in a crash. For addressing it, add a sanity check of the transfer buffer size at prepare_silent_urb(), and stop the data copy if the received data overflows. Also, report back the transfer error properly from there, too. Note that this doesn't fix the root cause of the playback error itself, but this merely covers the kernel Oops.
Title ALSA: usb-audio: Add sanity check for OOB writes at silencing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:29.169Z

Reserved: 2026-05-01T14:12:55.998Z

Link: CVE-2026-43279

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:49.350

Modified: 2026-05-08T19:02:38.547

Link: CVE-2026-43279

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43279 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T17:30:13Z

Weaknesses