CVE-2026-52963 - Vulnerability Details

- ALSA: usb-audio: Bound MIDI endpoint descriptor scans

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Bound MIDI endpoint descriptor scans

snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint
descriptor size before using baAssocJackID[], but the descriptor walker can
still return a class-specific endpoint descriptor whose bLength exceeds the
remaining bytes in the endpoint-extra scan.

That leaves later flexible-array reads bounded by bLength, but not by the
remaining bytes in the endpoint-extra scan.

Stop walking when bLength is zero or
extends past the remaining endpoint-extra scan.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the ALSA USB audio driver, where the function that parses MIDI streaming endpoint descriptors does not fully verify that the descriptor length fits within the remaining data. This can allow a malicious USB audio device to send a descriptor whose reported length exceeds the actual bytes present, enabling flexible‑array reads that go beyond the bounds of the allocated buffer. The result is a kernel read of unintended memory, potentially leaking sensitive information. The weakness corresponds to CWE‑125: Out‑of‑Bounds Read.

Affected Systems

All Linux kernel installations that include the ALSA USB audio driver are vulnerable. No specific kernel versions are listed; the vulnerability is resolved in the kernel tree after commit 09141583bd97f4bbd7358e29fd138fe798467cdb and related subsequent updates.

Risk and Exploitability

Because the flaw permits only reads of kernel memory, it is an information‑disclosure risk rather than a direct escalation path. The attack requires physical access to supply a crafted USB audio device, so the entry‑point is local but depends on device interaction. No CVSS score or EPSS data is available, and the vulnerability is not currently listed in the CISA KEV catalog. The likelihood of exploitation in the wild appears low, though the potential to expose confidential data warrants timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< e2f1260a056eb3215c13c48c5378f3e4112dc3af
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< c65b137d351e21cbc5630e73ef0eb1e1d75f5b20
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< 728ab0c72e49ca27185067984cd565425eb69b2e
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< 3d3b2b01a3e73828e201ece96f863e7a3e0cdc6e
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< a0226560540c16717efcceaf15c862cf115b01d3
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< 09141583bd97f4bbd7358e29fd138fe798467cdb
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< c59159ce10e75b568cd0d4b29efcb0fb0ddecc94
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< d6854daa67be623860f4e1873fd3d3c275aba4ed
`9e0c71f2f633b0442661966228827d1a33df485f`	affected	—
`0868bc5654c07628c421547f0821650a8c2cb8f3`	affected	—
`78483c1c7741ffa72991d93d19a75bfdcc2cbf57`	affected	—
`65d95462001c6ccd9bc9499c1fc9a90eca9de496`	affected	—
`ca767cf0152d18fc299cde85b18d1f46ac21e1ba`	affected	—
`4.4.238`	affected	< 4.5
`4.9.238`	affected	< 4.10
`4.14.200`	affected	< 4.15
`4.19.149`	affected	< 4.20
`5.4.69`	affected	< 5.5

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the patch from commit 09141583bd97f4bbd7358e29fd138fe798467cdb and any subsequent commits in the same change set.
Reboot the system after updating to ensure the new kernel and driver code are in use.
If immediate kernel updates are impossible, temporarily blacklist the snd-usb-midi and snd-usb-audio kernel modules to prevent the vulnerable driver from loading, or disable USB audio device support through system configuration.

Generated by OpenCVE AI on June 24, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/09141583bd97f4bbd7358e29fd138fe798467cdb
https://git.kernel.org/stable/c/3d3b2b01a3e73828e201ece96f863e7a3e0cdc6e
https://git.kernel.org/stable/c/728ab0c72e49ca27185067984cd565425eb69b2e
https://git.kernel.org/stable/c/a0226560540c16717efcceaf15c862cf115b01d3
https://git.kernel.org/stable/c/c59159ce10e75b568cd0d4b29efcb0fb0ddecc94
https://git.kernel.org/stable/c/c65b137d351e21cbc5630e73ef0eb1e1d75f5b20
https://git.kernel.org/stable/c/d6854daa67be623860f4e1873fd3d3c275aba4ed
https://git.kernel.org/stable/c/e2f1260a056eb3215c13c48c5378f3e4112dc3af

History

Wed, 24 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Bound MIDI endpoint descriptor scans snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.
Title		ALSA: usb-audio: Bound MIDI endpoint descriptor scans
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/09141583bd97f4bbd7358e29fd138fe798467cdb https://git.kernel.org/stable/c/3d3b2b01a3e73828e201ece96f863e7a3e0cdc6e https://git.kernel.org/stable/c/728ab0c72e49ca27185067984cd565425eb69b2e https://git.kernel.org/stable/c/a0226560540c16717efcceaf15c862cf115b01d3 https://git.kernel.org/stable/c/c59159ce10e75b568cd0d4b29efcb0fb0ddecc94 https://git.kernel.org/stable/c/c65b137d351e21cbc5630e73ef0eb1e1d75f5b20 https://git.kernel.org/stable/c/d6854daa67be623860f4e1873fd3d3c275aba4ed https://git.kernel.org/stable/c/e2f1260a056eb3215c13c48c5378f3e4112dc3af

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:43.593Z

Updated: 2026-06-24T16:28:43.593Z

Reserved: 2026-06-09T07:44:35.374Z

Link: CVE-2026-52963

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T18:30:06Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object