{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23078", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.959Z", "datePublished": "2026-02-04T16:08:03.283Z", "dateUpdated": "2026-05-11T21:59:34.569Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:34.569Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Fix buffer overflow in config retrieval\n\nThe scarlett2_usb_get_config() function has a logic error in the\nendianness conversion code that can cause buffer overflows when\ncount > 1.\n\nThe code checks `if (size == 2)` where `size` is the total buffer size in\nbytes, then loops `count` times treating each element as u16 (2 bytes).\nThis causes the loop to access `count * 2` bytes when the buffer only\nhas `size` bytes allocated.\n\nFix by checking the element size (config_item->size) instead of the\ntotal buffer size. This ensures the endianness conversion matches the\nactual element type."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/usb/mixer_scarlett2.c"], "versions": [{"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834", "lessThan": "d5e80d1f97ae55bcea1426f551e4419245b41b9c", "status": "affected", "versionType": "git"}, {"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834", "lessThan": "51049f6e3f05d70660e2458ad3bb302a3721b751", "status": "affected", "versionType": "git"}, {"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834", "lessThan": "91a756d22f0482eac5bedb113c8922f90b254449", "status": "affected", "versionType": "git"}, {"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834", "lessThan": "27049f50be9f5ae3a62d272128ce0b381cb26a24", "status": "affected", "versionType": "git"}, {"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834", "lessThan": "31a3eba5c265a763260976674a22851e83128f6d", "status": "affected", "versionType": "git"}, {"version": "ac34df733d2dfe3b553897a1e9e1a44414f09834", "lessThan": "6f5c69f72e50d51be3a8c028ae7eda42c82902cb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/usb/mixer_scarlett2.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d5e80d1f97ae55bcea1426f551e4419245b41b9c"}, {"url": "https://git.kernel.org/stable/c/51049f6e3f05d70660e2458ad3bb302a3721b751"}, {"url": "https://git.kernel.org/stable/c/91a756d22f0482eac5bedb113c8922f90b254449"}, {"url": "https://git.kernel.org/stable/c/27049f50be9f5ae3a62d272128ce0b381cb26a24"}, {"url": "https://git.kernel.org/stable/c/31a3eba5c265a763260976674a22851e83128f6d"}, {"url": "https://git.kernel.org/stable/c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb"}], "title": "ALSA: scarlett2: Fix buffer overflow in config retrieval", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0EEEC50-FFAD-4440-85F6-5EDA9D0DF2CB", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Fix buffer overflow in config retrieval\n\nThe scarlett2_usb_get_config() function has a logic error in the\nendianness conversion code that can cause buffer overflows when\ncount > 1.\n\nThe code checks `if (size == 2)` where `size` is the total buffer size in\nbytes, then loops `count` times treating each element as u16 (2 bytes).\nThis causes the loop to access `count * 2` bytes when the buffer only\nhas `size` bytes allocated.\n\nFix by checking the element size (config_item->size) instead of the\ntotal buffer size. This ensures the endianness conversion matches the\nactual element type."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nALSA: scarlett2: Correcci\u00f3n de desbordamiento de b\u00fafer en la recuperaci\u00f3n de configuraci\u00f3n\n\nLa funci\u00f3n scarlett2_usb_get_config() tiene un error l\u00f3gico en el c\u00f3digo de conversi\u00f3n de endianness que puede causar desbordamientos de b\u00fafer cuando count > 1.\n\nEl c\u00f3digo comprueba 'if (size == 2)' donde 'size' es el tama\u00f1o total del b\u00fafer en bytes, luego itera 'count' veces tratando cada elemento como u16 (2 bytes). Esto hace que el bucle acceda a 'count * 2' bytes cuando el b\u00fafer solo tiene 'size' bytes asignados.\n\nSoluci\u00f3n comprobando el tama\u00f1o del elemento (config_item->size) en lugar del tama\u00f1o total del b\u00fafer. Esto asegura que la conversi\u00f3n de endianness coincida con el tipo de elemento real."}], "id": "CVE-2026-23078", "lastModified": "2026-03-18T13:53:29.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:18.543", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/27049f50be9f5ae3a62d272128ce0b381cb26a24"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/31a3eba5c265a763260976674a22851e83128f6d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/51049f6e3f05d70660e2458ad3bb302a3721b751"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/91a756d22f0482eac5bedb113c8922f90b254449"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d5e80d1f97ae55bcea1426f551e4419245b41b9c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ALSA: scarlett2: Fix buffer overflow in config retrieval", "id": "2436825", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436825"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23078", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23078\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23078\nhttps://lore.kernel.org/linux-cve-announce/2026020420-CVE-2026-23078-61cc@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:38:14.841003+00:00", "value": {"mitigation_remediation": ["Install a Linux kernel version that includes the ALSA scarlett2 driver patch (v6.19\u202frc6 or later).", "Reboot the system to ensure the upgraded kernel and driver are active and verify that the driver reports the expected version string.", "If a kernel upgrade is not yet possible, disable the scarlett2 driver at boot or disconnect the USB device to eliminate the attack surface until an update is available."], "summary": {"action": "Apply Patch", "impact": "Buffer overflow in ALSA scarlett2 config retrieval leading to potential memory corruption"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Linux kernel for all releases that include the ALSA scarlett2 driver, notably kernel 6.19 rc1 through rc6 and prior to the commit that introduced the fix. Any workstation, server, or embedded device running the affected kernel and using a Scarlett\u202f2 USB audio interface is potentially exposed. System administrators should inspect kernel version and confirm whether the device is in use.", "description_and_impact": "A logic error in the ALSA scarlett2 driver causes the endianness conversion loop to read twice as many bytes as the allocated buffer when the element size is not correctly checked, resulting in a classic buffer overflow (CWE\u2011787). This overflow could corrupt adjacent memory and, depending on the context, could allow an attacker to influence program flow or trigger a denial of service. The impact is restricted to systems that load the scarlett2_usb_get_config function while processing USB configuration data.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. The EPSS score is below 1\u202f%, suggesting a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attack access is likely local or requires the ability to influence USB configuration messages; the user must have sufficient privileges to load or communicate with the ALSA driver. Because the flaw originates from a mis\u2011rated loop, an attacker with code execution in kernel mode or the ability to manipulate USB device descriptors could trigger the overflow. The low EPSS score, however, implies moderate risk as exploitation would require specific conditions on the target system."}}}}, "created": "2026-04-17T23:45:25.811010+00:00", "updated": "2026-04-17T23:45:25.811021+00:00", "vendors": []}