CVE-2026-31778

HIGH EPSS 2.6%
Published May 1, 20261mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix stack out-of-bounds read in init_card The loop creates a whitespace-stripped copy of the card shortname where `len < sizeof(card->id)` is used for the bounds check. Since sizeof(card->id) is 16 and the local id buffer is also 16 bytes, writing 16 non-space characters fills the entire buffer, overwriting the terminating nullbyte. When this non-null-terminated string is later passed to snd_card_set_id() -> copy_valid_id_string(), the function scans forward with `while (*nid && ...)` and reads past the end of the stack buffer, reading the contents of the stack. A USB device with a product name containing many non-ASCII, non-space characters (e.g. multibyte UTF-8) will reliably trigger this as follows: BUG: KASAN: stack-out-of-bounds in copy_valid_id_string sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c sound/core/init.c:718 The off-by-one has been present since commit bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1), which first introduced this whitespace-stripping loop. The original code never accounted for the null terminator when bounding the copy. Fix this by changing the loop bound to `sizeof(card->id) - 1`, ensuring at least one byte remains as the null terminator.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥2.6.31  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.134
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/02d9c5b0b5553a391448b6d655262bd829f90234
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3178b62e2e31bab39f63d4c8e54bf4ee0a425627
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3afa2e67f3523a980a2f90fd63c22322ac2b9ce0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45424e871abf2a152e247a9cff78359f18dd95c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/66194c2575a4f567577ae70b1d7561163ce791a6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7594a6464873d90fd229e5b94cdd3b92c9feabed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a82c1bce2d1299dd3c686a8fe48cf75b79a403c7
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/02d9c5b0b5553a391448b6d655262bd829f90234
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3178b62e2e31bab39f63d4c8e54bf4ee0a425627
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3afa2e67f3523a980a2f90fd63c22322ac2b9ce0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45424e871abf2a152e247a9cff78359f18dd95c0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/66194c2575a4f567577ae70b1d7561163ce791a6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7594a6464873d90fd229e5b94cdd3b92c9feabed
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a82c1bce2d1299dd3c686a8fe48cf75b79a403c7
    Patch