CVE-2026-23208

HIGH EPSS 2.2%
Published Feb 14, 20264mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Feb 14, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥4.14.186  –  <4.14.188
linuxlinux_kernel*≥4.19.130  –  <4.19.132
linuxlinux_kernel*≥5.4.49  –  <5.4.51
linuxlinux_kernel*≥5.7.6  –  <5.7.8
linuxlinux_kernel*≥5.8  –  <6.18.10
linuxlinux_kernel4.4.229any
linuxlinux_kernel4.9.229any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/62932d9ed639a9fa71b4ac1a56766a4b43abb7e4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef5749ef8b307bf8717945701b1b79d036af0a15
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/62932d9ed639a9fa71b4ac1a56766a4b43abb7e4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef5749ef8b307bf8717945701b1b79d036af0a15
    Patch