Skip to main content

Linux Kernel CVE-2026-31777

| EUVDEUVD-2026-26590 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 05:00 vuln.today
CVSS changed
May 07, 2026 - 02:50 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26590
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: ctxfi: Check the error for index mapping

The ctxfi driver blindly assumed a proper value returned from daio_device_index(), but it's not always true. Add a proper error check to deal with the error from the function.

AnalysisAI

Denial of service in the Linux kernel ALSA ctxfi audio driver allows local authenticated attackers to crash the system via improper error handling in the daio_device_index() function. The ctxfi driver failed to validate return values from index mapping operations, enabling a local user with standard privileges to trigger an unhandled error condition that disables audio functionality or causes system instability.

Technical ContextAI

The vulnerability exists in the ALSA (Advanced Linux Sound Architecture) ctxfi driver, which manages Creative Sound Blaster X-Fi audio hardware. The ctxfi driver communicates with audio device hardware through device index mapping via the daio_device_index() function. The root cause is insufficient error checking - the driver assumed this function always returned valid indices without verifying the return value for error conditions. CWE classification not provided in CVE data, but the missing error validation pattern is consistent with CWE-252 (Unchecked Return Value) or CWE-391 (Uncaught ExceptionType: Unchecked Exception). This is a kernel audio subsystem issue affecting systems with Creative X-Fi hardware or driver loaded.

RemediationAI

Update the Linux kernel to version 7.0 or later for mainline systems, or apply patch commit d4d3b8cbb70a2de247cbfe99bdb232aef9ed59bc. For stable kernel users, update to Linux 6.19.12 or later, or apply patch commit 277c6960d4ddb94d16198afd70c92c3d4593d131. References for patch details are available at https://git.kernel.org/stable/c/d4d3b8cbb70a2de247cbfe99bdb232aef9ed59bc and https://git.kernel.org/stable/c/277c6960d4ddb94d16198afd70c92c3d4593d131. If immediate patching is not feasible, systems without Creative X-Fi audio hardware can mitigate by unloading the ctxfi kernel module (sudo rmmod snd_ctxfi), which eliminates the attack surface entirely with the trade-off of losing audio functionality for any X-Fi devices. Alternatively, restrict local system access to trusted users only, reducing the pool of local attackers with PR:L (Low privilege) access required by this vulnerability.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy