{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23318", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.995Z", "datePublished": "2026-03-25T10:27:12.884Z", "dateUpdated": "2026-05-11T22:04:33.969Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:33.969Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3. This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely. A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/usb/validate.c"], "versions": [{"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "82a7d0a1b88798de1a609130080ce0c65dd869e9", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "8307d93e63d5f54ef10412d4db2dd551e920dee4", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "d3904ca40515272681ae61ad6f561c24f190957f", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "1e5753ff4c2e86aa88516f97a224c90a3d0b133e", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "499ffd15b00dc91ac95c28f76959dfb5cdcc84d5", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "54f9d645a5453d0bfece0c465d34aaf072ea99fa", "status": "affected", "versionType": "git"}, {"version": "17821e2fb16752f5d363fb5c3f8aab4df41b9bcc", "status": "affected", "versionType": "git"}, {"version": "bf74a46aebb1b5ab5e5f25bafa4ae0a453ba813a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/usb/validate.c"], "versions": [{"version": "5.4", "status": "affected"}, {"version": "0", "lessThan": "5.4", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.84"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/82a7d0a1b88798de1a609130080ce0c65dd869e9"}, {"url": "https://git.kernel.org/stable/c/8307d93e63d5f54ef10412d4db2dd551e920dee4"}, {"url": "https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f"}, {"url": "https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc"}, {"url": "https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f"}, {"url": "https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e"}, {"url": "https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5"}, {"url": "https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa"}], "title": "ALSA: usb-audio: Use correct version for UAC3 header validation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7EACEB9-7173-47F4-83A4-AE06CE74D78B", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.84", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C477253-CAE4-47C3-A62D-F5EC4455A1CD", "versionEndExcluding": "5.4", "versionStartIncluding": "5.3.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CE4B3A5-1831-420D-B001-512B8103441C", "versionEndExcluding": "5.10.253", "versionStartIncluding": "5.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.4:-:*:*:*:*:*:*", "matchCriteriaId": "4D70AB13-37BE-4BD3-A652-10191F1642E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3. This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely. A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nALSA: usb-audio: Usar la versi\u00f3n correcta para la validaci\u00f3n del encabezado UAC3\n\nLa entrada de la tabla de validadores para el descriptor de encabezado AC UAC3 est\u00e1 definida con la versi\u00f3n de protocolo incorrecta UAC_VERSION_2, mientras que deber\u00eda haber sido UAC_VERSION_3. Esto resulta en que el validador nunca coincida para dispositivos UAC3 reales (protocolo == UAC_VERSION_3), haciendo que sus descriptores de encabezado omitan la validaci\u00f3n por completo. Un dispositivo USB malicioso que presente un encabezado UAC3 truncado podr\u00eda explotar esto para causar lecturas fuera de l\u00edmites cuando el controlador acceda posteriormente a campos de descriptor no validados.\n\nEl error fue introducido en el mismo commit que el error tipogr\u00e1fico del subtipo de unidad de caracter\u00edstica UAC3 recientemente corregido, y parece provenir del mismo error de copiar y pegar cuando la secci\u00f3n UAC3 fue creada a partir de la secci\u00f3n UAC2."}], "id": "CVE-2026-23318", "lastModified": "2026-04-23T21:05:42.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:28.390", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/82a7d0a1b88798de1a609130080ce0c65dd869e9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8307d93e63d5f54ef10412d4db2dd551e920dee4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ALSA: usb-audio: Use correct version for UAC3 header validation", "id": "2451189", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451189"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-1287", "details": ["A flaw was found in the Linux kernel's ALSA (Advanced Linux Sound Architecture) USB audio driver. A malicious USB Audio Class 3 (UAC3) device could exploit an incorrect protocol version used for UAC3 header validation. This error causes the device's header descriptors to bypass validation, allowing a truncated UAC3 header to trigger out-of-bounds reads when the driver processes unvalidated descriptor fields."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the snd_usb_audio module from being loaded. See https://access.redhat.com/solutions/41278 for instructions."}, "name": "CVE-2026-23318", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23318\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23318\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23318-bef0@gregkh/T"], "statement": "This flaw affects systems with USB audio devices using UAC3 (USB Audio Class 3). A copy-paste error caused UAC3 header validation to use UAC_VERSION_2 instead of UAC_VERSION_3, completely bypassing validation for UAC3 devices. A malicious USB device could provide truncated descriptors to cause OOB reads. Physical access to connect the USB device is required.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[57f8770620e9b51c61089751f0b5ad3dbe376ff2,0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[57f8770620e9b51c61089751f0b5ad3dbe376ff2,a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[57f8770620e9b51c61089751f0b5ad3dbe376ff2,d3904ca40515272681ae61ad6f561c24f190957f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[57f8770620e9b51c61089751f0b5ad3dbe376ff2,1e5753ff4c2e86aa88516f97a224c90a3d0b133e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[57f8770620e9b51c61089751f0b5ad3dbe376ff2,499ffd15b00dc91ac95c28f76959dfb5cdcc84d5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[57f8770620e9b51c61089751f0b5ad3dbe376ff2,54f9d645a5453d0bfece0c465d34aaf072ea99fa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "17821e2fb16752f5d363fb5c3f8aab4df41b9bcc"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "bf74a46aebb1b5ab5e5f25bafa4ae0a453ba813a"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T22:10:38.387601+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a release that contains the UAC3 header validation fix.", "If a kernel upgrade is not immediately possible, disable USB audio support in the kernel configuration or unload the ALSA modules to prevent the driver from loading.", "Keep monitoring kernel vendor advisories for additional patches or updates."], "summary": {"action": "Apply Patch", "impact": "Out\u2011of\u2011bounds read in ALSA USB\u2011audio driver"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in Linux kernel ALSA USB\u2011audio support in all kernel releases that did not include the fix for the UAC3 validator table. Kernels before the commit that corrected the UAC2/UAC3 copy\u2011paste error are at risk. Specific affected versions are not listed, so any distribution shipping an older kernel should review its kernel changelog for the relevant commit.", "description_and_impact": "The ALSA USB\u2011audio driver in the Linux kernel validates UAC3 header descriptors using the wrong protocol version, UAC_VERSION_2 instead of UAC_VERSION_3. As a result, UAC3 devices bypass validation and can supply a truncated header. When the driver later accesses fields of this unvalidated descriptor, it performs an out\u2011of\u2011bounds read. The flaw can lead to a crash or denial of service.", "risk_and_exploitability": "The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1\u202f% suggests a low likelihood of wide exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires a malicious USB device to be attached to a vulnerable system. No public exploit code is known, so the primary risk is denial of service rather than remote code execution."}}}}, "created": "2026-03-25T21:15:11.197648+00:00", "updated": "2026-04-28T22:15:41.369364+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}