Skip to main content

Linux Kernel CVE-2026-31619

| EUVDEUVD-2026-25512 MEDIUM
2026-04-24 Linux GHSA-c947-xgxx-fj67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:22 vuln.today
CVSS changed
Apr 28, 2026 - 14:22 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 14:09 nvd
Patch available
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25512
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: fireworks: bound device-supplied status before string array lookup

The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status value outside that range goes off into the weeds when looking at the %s value.

Even worse, the status could return EFR_STATUS_INCOMPLETE which is 0x80000000, and is obviously not in that array of potential strings.

Fix this up by properly bounding the index against the array size and printing "unknown" if it's not recognized.

AnalysisAI

Denial of service via out-of-bounds string lookup in Linux kernel ALSA fireworks driver allows local authenticated users to crash the system by supplying an invalid status value from a firewire device. The vulnerability stems from insufficient bounds checking on a 32-bit status field before array indexing into a 17-entry string table, enabling memory access violations when the device reports unexpected values including EFR_STATUS_INCOMPLETE (0x80000000).

Technical ContextAI

The ALSA (Advanced Linux Sound Architecture) fireworks driver processes responses from firewire audio devices. The vulnerability exists in the device-supplied status field handling, where a 32-bit value from an untrusted firewire device is used directly as an array index into efr_status_names[], a fixed 17-entry string array. Without bounds validation, out-of-range values cause out-of-bounds memory reads when dereferencing the %s format specifier, potentially reading arbitrary kernel memory or triggering a crash. The root cause is improper input validation of untrusted device data (CWE-129: Improper Validation of Array Index) combined with missing bounds checking before array access.

RemediationAI

Apply kernel security update to version 6.12.83 or later, 6.19.14 or later, or 6.18.24 or later depending on your stable branch. The fix implements bounds checking on the status field before array indexing and returns 'unknown' for out-of-range values instead of dereferencing invalid memory. Most Linux distributions will backport this fix to their stable/LTS kernels; check your vendor's security advisory for applicable updates. For systems that cannot immediately patch, disable the snd-fireworks audio driver module if firewire audio devices are not in use (via modprobe blacklist or kernel build option), eliminating the attack surface. This workaround trades audio functionality for stability and is only suitable when firewire audio is not required. Update your kernel via your distribution's package manager (apt/yum/dnf/zypper depending on distribution) and reboot to activate the patched kernel.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy