Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES

parse_uac2_sample_rate_range() caps the number of enumerated
rates at MAX_NR_RATES, but it only breaks out of the current
rate loop. A malformed UAC2 RANGE response with additional
triplets continues parsing the remaining triplets and repeatedly
prints "invalid uac2 rates" while probe still holds
register_mutex.

Stop the whole parse once the cap is reached and return the
number of rates collected so far.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ALSA usb‑audio driver limits the enumeration of sample rates to a maximum number of triplets, but when a USB audio device supplies a malformed UAC2 RANGE response that contains more triplets than the limit, the driver continues parsing the remaining entries, repeatedly logging an "invalid uac2 rates" error while holding a global mutex during device probe. The excessive log output and prolonged mutex hold can degrade system responsiveness or trigger a denial of service if a malicious device repeatedly sends oversized responses. This flaw reflects the CWE‑606 weakness: unchecked input validation leading to resource exhaustion.

Affected Systems

All systems running a Linux kernel that includes the ALSA usb‑audio driver and has not incorporated the patch that stops parsing beyond MAX_NR_RATES are affected. Distribution kernels that predate the commit remain at risk; any system built from a source tree older than the fix is susceptible.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity due to the resource‑exhaustion nature of the flaw. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector requires an attacker to connect a malicious USB audio device to the target system, either physically or via a compromised peripheral interface. The flaw does not require privilege escalation or code execution on the host to be exploited, but does rely on the target’s kernel driver accepting and parsing the malformed response.

Generated by OpenCVE AI on May 28, 2026 at 06:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch to stop parsing beyond MAX_NR_RATES, thereby enforcing the rate enumeration limit and eliminating the unchecked input loop.
  • Reboot the system so the updated kernel and ALSA modules are loaded and the protection becomes active.
  • If applying the kernel update is not immediately feasible, temporarily unload or blacklist the usb_audio module to prevent the driver from processing potentially malicious responses until a secure kernel is available.
  • For additional short‑term protection, disconnect or disable any unused USB audio devices so that no device can send crafted UAC2 responses.

Generated by OpenCVE AI on May 28, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while probe still holds register_mutex. Stop the whole parse once the cap is reached and return the number of rates collected so far.
Title ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:48:18.248Z

Reserved: 2026-05-13T15:03:33.092Z

Link: CVE-2026-46018

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:20.240

Modified: 2026-06-16T15:23:42.600

Link: CVE-2026-46018

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46018 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T06:45:10Z

Weaknesses