Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()

snd_ctl_elem_init_enum_names() advances pointer p through the names
buffer while decrementing buf_len. If buf_len reaches zero but items
remain, the next iteration calls strnlen(p, 0).

While strnlen(p, 0) returns 0 and would hit the existing name_len == 0
error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks
maxlen against __builtin_dynamic_object_size(). When Clang loses track
of p's object size inside the loop, this triggers a BRK exception panic
before the return value is examined.

Add a buf_len == 0 guard at the loop entry to prevent calling fortified
strnlen() on an exhausted buffer.

Found by kernel fuzz testing through Xiaomi Smartphone.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is in the ALSA control subsystem of the Linux kernel, where the function that initializes enumeration names walks past a buffer while decrementing a counter without first verifying that the counter is non‑zero. When the counter reaches zero, the loop calls fortified strnlen with a maximum length of zero, causing a BRK exception that crashes the kernel. The crash results in a kernel panic and a system reboot, effectively denying service.

Affected Systems

All Linux kernel builds that include the ALSA control driver and that have not incorporated the upstream patch adding a guard against zero buffer length. The issue is present in the default kernels shipped by distributors until they apply the updated source, as the product is the Linux operating system in general.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and the CVE is not listed in the CISA KEV catalog. Exploitation requires local access to the ALSA control interface; a user process can supply crafted enumeration values that trigger the bug. Remote exploitation is unlikely because the vulnerability is confined to kernel space and depends on local manipulation of ALSA controls. The primary risk is a denial‑of‑service from a kernel panic that can interrupt all processes on the affected system.

Generated by OpenCVE AI on May 28, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the ALSA buffer‑length guard patch, normally available in the mainline repository following commit 1fbe46d2b727.
  • If immediate package updates are unavailable, cherry‑pick the relevant upstream commit to apply the patch manually, rebuild the kernel, and install the updated image.
  • Reboot the system after applying the updated kernel to ensure the patched driver is loaded and the vulnerability is neutralized.

Generated by OpenCVE AI on May 28, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone.
Title ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:58:31.895Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46088

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:30.333

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46088

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46088 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:45:06Z

Weaknesses