{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25068", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-28T21:47:35.120Z", "datePublished": "2026-01-29T19:08:03.986Z", "dateUpdated": "2026-05-11T23:11:05.236Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "alsa-lib", "vendor": "ALSA Project", "versions": [{"lessThan": "1.2.15.2", "status": "affected", "version": "1.2.2", "versionType": "custom"}, {"status": "unaffected", "version": "5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:alsa-project:alsa-lib:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.2.2", "versionEndExcluding": "1.2.15.2"}]}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sajeeb Lohani (sml555 / prodigysml)"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div>alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.</div></div>"}], "value": "alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 4.6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:05.236Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow"}], "source": {"discovery": "UNKNOWN"}, "title": "alsa-lib 1.2.15.2 Topology Decoder Heap-based Buffer Overflow", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T20:23:55.212503Z", "id": "CVE-2026-25068", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T20:24:16.805Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00008.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-06T00:15:45.511Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00008.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-06T00:15:45.511Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T20:23:55.212503Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T20:24:07.163Z"}}], "cna": {"title": "alsa-lib 1.2.15.2 Topology Decoder Heap-based Buffer Overflow", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sajeeb Lohani (sml555 / prodigysml)"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ALSA Project", "product": "alsa-lib", "versions": [{"status": "affected", "version": "1.2.2", "lessThan": "1.2.15.2", "versionType": "custom"}, {"status": "unaffected", "version": "5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.", "supportingMedia": [{"type": "text/html", "value": "<div><div>alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.</div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-129", "description": "CWE-129 Improper Validation of Array Index"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alsa-project:alsa-lib:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.2.15.2", "versionStartIncluding": "1.2.2"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:05.236Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25068", "state": "PUBLISHED", "dateUpdated": "2026-05-11T23:11:05.236Z", "dateReserved": "2026-01-28T21:47:35.120Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-01-29T19:08:03.986Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash."}, {"lang": "es", "value": "Las versiones de alsa-lib 1.2.2 hasta la 1.2.15.2 inclusive, anteriores al commit 5f7fe33, contienen un desbordamiento de b\u00fafer basado en mont\u00edculo en el decodificador de control del mezclador de topolog\u00eda. La funci\u00f3n tplg_decode_control_mixer1() lee el campo num_channels de datos .tplg no confiables y lo utiliza como l\u00edmite de bucle sin validarlo contra el array de canales de tama\u00f1o fijo (SND_TPLG_MAX_CHAN). Un archivo de topolog\u00eda manipulado con un valor excesivo de num_channels puede causar escrituras fuera de l\u00edmites en el mont\u00edculo, lo que lleva a un fallo."}], "id": "CVE-2026-25068", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-01-29T20:16:10.623", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00008.html"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{"bugzilla": {"description": "alsa-lib: alsa-lib Topology Decoder Heap-based Buffer Overflow", "id": "2435372", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435372"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-787", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-25068", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "alsa-lib", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "alsa-lib", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "alsa-lib", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "alsa-lib", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "alsa-lib", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-29T19:08:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25068\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25068\nhttps://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40\nhttps://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-16T17:36:01.955092+00:00", "value": {"mitigation_remediation": ["Update to a patched version of alsa-lib (1.2.15.3 or later, which incorporates commit 5f7fe33).", "Until a patch is available, delete or rename any custom or untrusted .tplg files from locations such as /usr/share/alsa, /etc/alsa, or user\u2011specific directories, preventing the decoder from processing them.", "Apply strict file permissions on all topology files so that only trusted users or processes can create or modify them, thereby limiting the ability of an attacker to supply a malicious topology."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via heap overflow"}, "threat_synthesis": {"affected_systems": "ALSA Project alsa-lib, versions 1.2.2 to and including 1.2.15.2. The issue was fixed in commit 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 and any releases derived from that commit.", "description_and_impact": "In alsa-lib versions 1.2.2 through 1.2.15.2, the topology mixer control decoder reads a channel count field from an untrusted .tplg file and uses it as a loop bound without validating it against the library\u2019s fixed-size channel array. This missing bounds check leads to a heap\u2011based buffer overflow that can overwrite adjacent memory and crash the process. The vulnerability causes loss of service because it terminates the ALSA control daemon. It does not provide an attacker with privilege escalation or remote code execution.", "risk_and_exploitability": "The CVSS score of 4.6 reflects moderate severity; the EPSS score of <\u202f1\u202f% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a crafted topology file that is processed by the ALSA control subsystem, typically via local user actions or by compromising a process that loads custom topology data. The absence of network\u2011exposed triggers means the attack vector is local and dependent on file handling privileges."}}}}, "created": "2026-01-30T08:42:18.973066+00:00", "updated": "2026-04-16T17:45:27.370733+00:00", "vendors": ["alsa-project", "alsa-project$PRODUCT$alsa-lib"]}