CVE-2026-31602

HIGH EPSS 3.1%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Limit PTP to a single page Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the additional pages are not used by the card correctly. The CT20K2 hardware already has multiple VMEM_PTPAL registers, but using them separately would require refactoring the entire virtual memory allocation logic. ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When aggregate memory allocations exceed this limit, ct_vm_map() tries to access beyond the allocated space and causes a page fault: BUG: unable to handle page fault for address: ffffd4ae8a10a000 Oops: Oops: 0002 [#1] SMP PTI RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] Call Trace: atc_pcm_playback_prepare+0x225/0x3b0 ct_pcm_playback_prepare+0x38/0x60 snd_pcm_do_prepare+0x2f/0x50 snd_pcm_action_single+0x36/0x90 snd_pcm_action_nonatomic+0xbf/0xd0 snd_pcm_ioctl+0x28/0x40 __x64_sys_ioctl+0x97/0xe0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count remain unchanged.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
3.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥3.2  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 9

  • git.kernel.org https://git.kernel.org/stable/c/2b4331c08c0b385598b4d8ccd71e93ab3f4b2578
  • git.kernel.org https://git.kernel.org/stable/c/365c36e1a126c6aa1aecedd3a351bcabc66f0c29
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/452894005b4abe141b11fe01e7bfe152e6d3860f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ad9011a795407093dcf507f6e5da1828987b4b47
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7f5ecd13cce8c2f8fa5a84c9aab65997142577e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c5908160e17cb56e1f61fbaee08adc21083f4933
  • git.kernel.org https://git.kernel.org/stable/c/de8016fb0904d68ac886e375069535996baa42ee
  • git.kernel.org https://git.kernel.org/stable/c/e9418da50d9e5c496c22fe392e4ad74c038a94eb
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/365c36e1a126c6aa1aecedd3a351bcabc66f0c29
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/452894005b4abe141b11fe01e7bfe152e6d3860f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ad9011a795407093dcf507f6e5da1828987b4b47
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b7f5ecd13cce8c2f8fa5a84c9aab65997142577e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e9418da50d9e5c496c22fe392e4ad74c038a94eb
    Patch