Skip to main content

Linux CVE-2026-23318

| EUVDEUVD-2026-15267 HIGH
Out-of-bounds Read (CWE-125)
2026-03-25 Linux
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 23, 2026 - 21:11 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 21:11 NVD
7.1 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15267
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Use correct version for UAC3 header validation

The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 header could exploit this to cause out-of-bounds reads when the driver later accesses unvalidated descriptor fields.

The bug was introduced in the same commit as the recently fixed UAC3 feature unit sub-type typo, and appears to be from the same copy-paste error when the UAC3 section was created from the UAC2 section.

AnalysisAI

A descriptor validation bypass in the Linux kernel's ALSA USB audio subsystem allows malicious USB devices to provide truncated UAC3 (USB Audio Class 3) header descriptors that escape validation checks, potentially causing out-of-bounds memory reads. The vulnerability stems from an incorrect protocol version constant (UAC_VERSION_2 instead of UAC_VERSION_3) in the validator table, causing validation logic to never execute for actual UAC3 devices. Affected are all Linux kernel versions containing the vulnerable code path; while CVSS and EPSS scores are not provided, this is a local privilege escalation / denial of service vector requiring physical USB device access or local code execution capability to exploit.

Technical ContextAI

The ALSA (Advanced Linux Sound Architecture) subsystem in the Linux kernel implements protocol-specific descriptor validators for USB audio devices conforming to the USB Audio Class (UAC) specification. The vulnerability resides in the UAC3 AC (Audio Control) header descriptor validation table, where a copy-paste error from UAC2 implementation left the version identifier set to UAC_VERSION_2 instead of UAC_VERSION_3. When a device reports protocol version 3, the validator entry is never matched due to version mismatch, causing the kernel to skip validation and directly access descriptor fields without bounds checking. This is classified under CWE categories related to improper input validation and buffer over-read vulnerabilities. Affected Linux kernel versions are identified via CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across all distributions shipping the vulnerable kernel code.

RemediationAI

Immediately upgrade the Linux kernel to a patched version that includes one of the six referenced commits from the kernel stable tree (specifically the commits addressing the UAC_VERSION_3 correction: https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f and related stable backports). Check your distribution's security advisory channels for kernel updates that incorporate these patches. Until patching is feasible, implement compensating controls by disabling USB audio device support via kernel module blacklisting (blacklist snd_usb_audio and related modules) if the functionality is not required, restricting physical USB port access via BIOS/firmware settings or physical locks, and isolating systems that must accept USB audio devices to air-gapped or heavily monitored environments. For production systems, prioritize kernel updates from your distribution vendor (Ubuntu Security, Red Hat, Debian Security) as they will provide tested, backported fixes.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy