In the Linux kernel ALSA usb-audio driver, the function parse_uac2_sample_rate_range() stops listing available sample rates when it reaches MAX_NR_RATES, but it only breaks the inner loop. If a USB audio device sends a malformed UAC2 RANGE response containing more than the maximum number of triplets, the remaining triplets are still parsed, each of which generates an "invalid uac2 rates" error and holds the register_mutex during the probe. This can cause continuous error logging and could potentially keep the mutex locked for an extended period, leading to a denial of service or degraded system performance. The weakness aligns with CWE‑400, unbounded resource consumption.

Linux kernel installations that include the ALSA usb-audio driver, regardless of distribution or flavor. No specific kernel versions are listed in the data, so any kernel build that contains the buggy driver code may be affected until the fix is applied.

The CVSS score is not provided and the EPSS score is unavailable, while the vulnerability is not listed in CISA’s KEV catalog. Because the flaw involves an error handling oversight rather than an access-control or code-injection vulnerability, there is no documented path to arbitrary code execution or privileged escalation. The risk, therefore, is considered low; however, the potential for denial of service through excessive log output or prolonged mutex contention still exists, especially in high-load or remote attack scenarios where an adversary could supply a malicious UAC2 response.