{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23208", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.986Z", "datePublished": "2026-02-14T16:27:30.441Z", "dateUpdated": "2026-05-11T22:02:24.809Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:24.809Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Prevent excessive number of frames\n\nIn this case, the user constructed the parameters with maxpacksize 40\nfor rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer\nsize for each data URB is maxpacksize * packets, which in this example\nis 40 * 6 = 240; When the user performs a write operation to send audio\ndata into the ALSA PCM playback stream, the calculated number of frames\nis packsize[0] * packets = 264, which exceeds the allocated URB buffer\nsize, triggering the out-of-bounds (OOB) issue reported by syzbot [1].\n\nAdded a check for the number of single data URB frames when calculating\nthe number of frames to prevent [1].\n\n[1]\nBUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nWrite of size 264 at addr ffff88804337e800 by task syz.0.17/5506\nCall Trace:\n copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\n prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611\n prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/usb/pcm.c"], "versions": [{"version": "02c56650f3c118d3752122996d96173d26bb13aa", "lessThan": "480a1490c595a242f27493a4544b3efb21b29f6a", "status": "affected", "versionType": "git"}, {"version": "5ef30e443e6d3654cccecec99cf481a69a0a6d3b", "lessThan": "ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41", "status": "affected", "versionType": "git"}, {"version": "99703c921864a318e3e8aae74fde071b1ff35bea", "lessThan": "282aba56713bbc58155716b55ca7222b2d9cf3c8", "status": "affected", "versionType": "git"}, {"version": "2d50acd7dbd0682a56968ad9551341d7fc5b6eaf", "lessThan": "c4dc012b027c9eb101583011089dea14d744e314", "status": "affected", "versionType": "git"}, {"version": "aba41867dd66939d336fdf604e4d73b805d8039f", "lessThan": "e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360", "status": "affected", "versionType": "git"}, {"version": "d288dc74f8cf95cb7ae0aaf245b7128627a49bf3", "lessThan": "d67dde02049e632ba58d3c44a164a74b6a737154", "status": "affected", "versionType": "git"}, {"version": "f0bd62b64016508938df9babe47f65c2c727d25c", "lessThan": "62932d9ed639a9fa71b4ac1a56766a4b43abb7e4", "status": "affected", "versionType": "git"}, {"version": "f0bd62b64016508938df9babe47f65c2c727d25c", "lessThan": "ef5749ef8b307bf8717945701b1b79d036af0a15", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/usb/pcm.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "4.4.230", "lessThanOrEqual": "4.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.230", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.188", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.132", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.51", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.7.8", "lessThanOrEqual": "5.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.229", "versionEndExcluding": "4.4.230"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.229", "versionEndExcluding": "4.9.230"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.186", "versionEndExcluding": "4.14.188"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.130", "versionEndExcluding": "4.19.132"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.49", "versionEndExcluding": "5.4.51"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7.6", "versionEndExcluding": "5.7.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a"}, {"url": "https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41"}, {"url": "https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8"}, {"url": "https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314"}, {"url": "https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360"}, {"url": "https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154"}, {"url": "https://git.kernel.org/stable/c/62932d9ed639a9fa71b4ac1a56766a4b43abb7e4"}, {"url": "https://git.kernel.org/stable/c/ef5749ef8b307bf8717945701b1b79d036af0a15"}], "title": "ALSA: usb-audio: Prevent excessive number of frames", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD1BFF88-C8CF-4AA8-8E24-D13928FE0DD5", "versionEndExcluding": "4.14.188", "versionStartIncluding": "4.14.186", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "87999705-F22E-4389-898A-B4B8DDDBDA7F", "versionEndExcluding": "4.19.132", "versionStartIncluding": "4.19.130", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5C83907-C9A6-43D6-AA4A-8B82C0E60FB9", "versionEndExcluding": "5.4.51", "versionStartIncluding": "5.4.49", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "958FE7C1-BD9E-4C9D-91F6-19A8E0EB9B59", "versionEndExcluding": "5.7.8", "versionStartIncluding": "5.7.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A0D4259-1C3D-46AC-B61A-63E751C16AE1", "versionEndExcluding": "6.18.10", "versionStartIncluding": "5.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.4.229:*:*:*:*:*:*:*", "matchCriteriaId": "088154F3-4B59-4FF5-9177-F2B91EBA283E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:4.9.229:*:*:*:*:*:*:*", "matchCriteriaId": "BBE6AD3D-3D2D-4D6F-809E-52224BC0C930", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Prevent excessive number of frames\n\nIn this case, the user constructed the parameters with maxpacksize 40\nfor rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer\nsize for each data URB is maxpacksize * packets, which in this example\nis 40 * 6 = 240; When the user performs a write operation to send audio\ndata into the ALSA PCM playback stream, the calculated number of frames\nis packsize[0] * packets = 264, which exceeds the allocated URB buffer\nsize, triggering the out-of-bounds (OOB) issue reported by syzbot [1].\n\nAdded a check for the number of single data URB frames when calculating\nthe number of frames to prevent [1].\n\n[1]\nBUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nWrite of size 264 at addr ffff88804337e800 by task syz.0.17/5506\nCall Trace:\n copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\n prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611\n prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nALSA: usb-audio: Prevenir un n\u00famero excesivo de tramas\n\nEn este caso, el usuario construy\u00f3 los par\u00e1metros con maxpacksize 40 para una tasa de 22050 / pps 1000, y packsize[0] 22 packsize[1] 23. El tama\u00f1o del b\u00fafer para cada URB de datos es maxpacksize * paquetes, que en este ejemplo es 40 * 6 = 240; Cuando el usuario realiza una operaci\u00f3n de escritura para enviar datos de audio al flujo de reproducci\u00f3n ALSA PCM, el n\u00famero calculado de tramas es packsize[0] * paquetes = 264, lo que excede el tama\u00f1o del b\u00fafer URB asignado, desencadenando el problema de fuera de l\u00edmites (OOB) reportado por syzbot [1].\n\nSe a\u00f1adi\u00f3 una comprobaci\u00f3n para el n\u00famero de tramas URB de datos individuales al calcular el n\u00famero de tramas para prevenir [1].\n\n[1]\nBUG: KASAN: slab-out-of-bounds en copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nEscritura de tama\u00f1o 264 en la direcci\u00f3n ffff88804337e800 por la tarea syz.0.17/5506\nTraza de Llamada:\n copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\n prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611\n prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333"}], "id": "CVE-2026-23208", "lastModified": "2026-03-18T20:49:35.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:58.703", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/62932d9ed639a9fa71b4ac1a56766a4b43abb7e4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ef5749ef8b307bf8717945701b1b79d036af0a15"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ALSA: usb-audio: Prevent excessive number of frames", "id": "2439906", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439906"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nALSA: usb-audio: Prevent excessive number of frames\nIn this case, the user constructed the parameters with maxpacksize 40\nfor rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer\nsize for each data URB is maxpacksize * packets, which in this example\nis 40 * 6 = 240; When the user performs a write operation to send audio\ndata into the ALSA PCM playback stream, the calculated number of frames\nis packsize[0] * packets = 264, which exceeds the allocated URB buffer\nsize, triggering the out-of-bounds (OOB) issue reported by syzbot [1].\nAdded a check for the number of single data URB frames when calculating\nthe number of frames to prevent [1].\n[1]\nBUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nWrite of size 264 at addr ffff88804337e800 by task syz.0.17/5506\nCall Trace:\ncopy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nprepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611\nprepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333"], "name": "CVE-2026-23208", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23208\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23208\nhttps://lore.kernel.org/linux-cve-announce/2026021439-CVE-2026-23208-cc9e@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,62932d9ed639a9fa71b4ac1a56766a4b43abb7e4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ef5749ef8b307bf8717945701b1b79d036af0a15)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-17T19:21:28.309896+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that incorporates the ALSA USB audio driver fix (e.g., the latest stable release or backported patch).", "Restrict access to the /dev/snd/* device nodes to trusted users only, denying audio write access to untrusted accounts.", "If a patch is not immediately available, consider disabling or removing the ALSA USB audio subsystem from the kernel configuration to eliminate the attack vector."], "summary": {"action": "Immediate Patch", "impact": "Kernel out\u2011of\u2011bounds write that may lead to local privilege escalation"}, "threat_synthesis": {"affected_systems": "Kernel versions affected include those before the patch commit referenced in the kernel module updates. Specifically, versions 4.4.229, 4.9.229, and the 6.19 release candidates from RC1 to RC5 are known to contain the flaw. All Linux kernel installations that still use these or earlier releases without the applied fix are potentially vulnerable, regardless of vendor.", "description_and_impact": "An out\u2011of\u2011bounds write in the ALSA USB audio driver occurs when a user sends audio data to the PCM playback stream with certain parameter combinations. The driver incorrectly calculates the number of frames, exceeding the allocated URB buffer size and writing beyond the bounds of kernel memory. This buffer overflow can corrupt critical kernel structures, potentially allowing a local attacker to execute arbitrary code or gain elevated privileges. The issue is identified as a CWE\u2011787.", "risk_and_exploitability": "The CVSS score of 7.8 reflects a high severity, yet the EPSS rating of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local user with the ability to write to the ALSA PCM device, so the attack surface is limited to systems where audio drivers are exposed to untrusted users. When present, the kernel memory corruption could be leveraged for privilege escalation to root."}}}}, "created": "2026-02-16T09:43:23.626665+00:00", "updated": "2026-04-17T19:30:15.636410+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}