Skip to main content

Linux Kernel CVE-2026-31776

| EUVDEUVD-2026-26589 HIGH
Improper Validation of Array Index (CWE-129)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
4.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 05:01 vuln.today
CVSS changed
May 07, 2026 - 02:50 NVD
7.8 (HIGH)
Patch released
May 02, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26589
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: ctxfi: Fix missing SPDIFI1 index handling

SPDIF1 DAIO type isn't properly handled in daio_device_index() for hw20k2, and it returned -EINVAL, which ended up with the out-of-bounds array access. Follow the hw20k1 pattern and return the proper index for this type, too.

AnalysisAI

Out-of-bounds array access in Linux kernel ALSA ctxfi driver allows local authenticated users to achieve arbitrary code execution with high integrity and confidentiality impact. The flaw stems from improper SPDIF1 DAIO type handling in daio_device_index() for hw20k2 hardware, which returns -EINVAL instead of a valid index, leading to buffer overflow conditions (CWE-129). Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects the ALSA (Advanced Linux Sound Architecture) ctxfi driver, specifically code handling Creative Technology sound cards with hw20k2 chipsets. The daio_device_index() function in sound/pci/ctxfi/cthw20k2.c fails to recognize the SPDIF1 (Sony/Philips Digital Interface 1) DAIO (Digital Audio Input/Output) type, returning -EINVAL error code instead of a valid array index. This negative return value is subsequently used as an array index without bounds checking, triggering CWE-129 (Improper Validation of Array Index). When the invalid index accesses memory outside allocated buffer boundaries, it creates conditions for arbitrary memory access. The hw20k1 chipset code correctly handles this DAIO type with proper indexing, and patches apply the same pattern to hw20k2. The vulnerability exists in kernel code dating back to commit 1da177e4c3f4 (initial git repository creation in 2.6.12-rc2, April 2005), affecting nearly two decades of kernel versions until patched in 2026.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.253+ for 5.10.x series, 5.15.203+ for 5.15.x, 6.1.168+ for 6.1.x LTS, 6.6.134+ for 6.6.x LTS, 6.12.81+ for 6.12.x stable, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+ for mainline. Upstream patch commits available at https://git.kernel.org/stable/c/a3b0e5f84058a9c3d0542a71c2b3a7801e4ee26a and related stable branch commits linked in CVE references. For systems unable to upgrade immediately, blacklist the snd-ctxfi kernel module via /etc/modprobe.d/blacklist-ctxfi.conf containing 'blacklist snd-ctxfi' and 'blacklist snd-ca0106' (related driver), then reboot or execute 'modprobe -r snd-ctxfi' to unload. Note: blacklisting disables Creative hw20k2 sound card functionality entirely - users lose audio output/input on affected hardware. Alternative compensating control: restrict local user access via mandatory access control (SELinux/AppArmor) to prevent untrusted users from loading kernel modules or accessing /dev/snd/* device nodes. Verify active module status with 'lsmod | grep ctxfi' before and after mitigation. Trade-off analysis: kernel upgrade has no functional impact; module blacklisting sacrifices audio hardware functionality for security on single-purpose systems.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy