Skip to main content

Linux Kernel CVE-2026-31602

| EUVDEUVD-2026-25495 HIGH
2026-04-24 Linux GHSA-426x-jc5h-fmgg
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 20:16 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:34 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25495
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: ctxfi: Limit PTP to a single page

Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the additional pages are not used by the card correctly. The CT20K2 hardware already has multiple VMEM_PTPAL registers, but using them separately would require refactoring the entire virtual memory allocation logic.

ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When aggregate memory allocations exceed this limit, ct_vm_map() tries to access beyond the allocated space and causes a page fault:

BUG: unable to handle page fault for address: ffffd4ae8a10a000 Oops: Oops: 0002 [#1] SMP PTI RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] Call Trace: atc_pcm_playback_prepare+0x225/0x3b0 ct_pcm_playback_prepare+0x38/0x60 snd_pcm_do_prepare+0x2f/0x50 snd_pcm_action_single+0x36/0x90 snd_pcm_action_nonatomic+0xbf/0xd0 snd_pcm_ioctl+0x28/0x40 __x64_sys_ioctl+0x97/0xe0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count remain unchanged.

AnalysisAI

Memory access violation in Linux kernel ALSA ctxfi driver allows local authenticated users to trigger kernel page faults and potential privilege escalation. The flaw affects CT20K2 audio hardware drivers (snd_ctxfi module) where virtual memory mapping logic incorrectly accesses beyond allocated page table pages when aggregate memory allocations exceed 2MB on AMD64 systems. EPSS exploitation probability is very low (0.02%, 5th percentile) and no public exploit or active exploitation is confirmed. Vendor-released patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14, 7.0.1).

Technical ContextAI

The vulnerability exists in the ALSA (Advanced Linux Sound Architecture) ctxfi driver for Creative CT20K2 audio chipsets. The root cause is a mismatch between allocated page table pages (PTP) and memory access patterns in ct_vm_map(). Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the ct_vm_map() function only uses page table entries (PTEs) from vm->ptp[0].area regardless of CT_PTP_NUM value. On AMD64 architectures with 64-bit addressing, a single PTP covers 512 PTEs spanning 2MB of virtual address space. When audio stream allocations exceed this 2MB boundary, the driver attempts to write PTEs beyond the single allocated page, causing an out-of-bounds access and kernel page fault (Oops: 0002 write fault). The fix reverts CT_PTP_NUM to 1 while maintaining 256 SRC_RESOURCE_NUM and playback_count, acknowledging that proper multi-page PTP support would require refactoring the entire virtual memory allocation subsystem to use the CT20K2's multiple VMEM_PTPAL registers correctly.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83 or later for 6.12.x series, 6.18.24 or later for 6.18.x series, 6.19.14 or later for 6.19.x series, or 7.0.1 or later for 7.0.x series. Patches available from kernel.org stable tree (commits ad9011a795407093dcf507f6e5da1828987b4b47, 365c36e1a126c6aa1aecedd3a351bcabc66f0c29, 3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5, b7f5ecd13cce8c2f8fa5a84c9aab65997142577e). For systems unable to immediately patch, disable the snd_ctxfi module via kernel module blacklist (add 'blacklist snd_ctxfi' to /etc/modprobe.d/blacklist.conf) - this prevents exploitation but renders CT20K2 audio hardware non-functional. Alternatively, restrict access to /dev/snd/* device nodes to trusted users only via udev rules, limiting attack surface to privileged audio applications (trade-off: breaks unprivileged audio playback for desktop users). Verify loaded modules after mitigation with 'lsmod | grep snd_ctxfi'. No workaround preserves full functionality without patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy