Skip to main content

Linux Kernel CVE-2026-31778

| EUVDEUVD-2026-26591 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 11, 2026 - 18:08 vuln.today
CVSS changed
May 11, 2026 - 18:07 NVD
7.1 (HIGH)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26591
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.1
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: fix stack out-of-bounds read in init_card

The loop creates a whitespace-stripped copy of the card shortname where len < sizeof(card->id) is used for the bounds check. Since sizeof(card->id) is 16 and the local id buffer is also 16 bytes, writing 16 non-space characters fills the entire buffer, overwriting the terminating nullbyte.

When this non-null-terminated string is later passed to snd_card_set_id() -> copy_valid_id_string(), the function scans forward with while (*nid && ...) and reads past the end of the stack buffer, reading the contents of the stack.

A USB device with a product name containing many non-ASCII, non-space characters (e.g. multibyte UTF-8) will reliably trigger this as follows:

BUG: KASAN: stack-out-of-bounds in copy_valid_id_string sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c sound/core/init.c:718

The off-by-one has been present since commit bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1), which first introduced this whitespace-stripping loop. The original code never accounted for the null terminator when bounding the copy.

Fix this by changing the loop bound to sizeof(card->id) - 1, ensuring at least one byte remains as the null terminator.

AnalysisAI

Stack buffer out-of-bounds read in Linux kernel ALSA snd_usb_caiaq driver allows local authenticated users to disclose kernel stack memory and potentially trigger denial of service. The vulnerability affects systems with USB audio devices using the caiaq driver when product names contain many non-ASCII characters. Present since kernel v2.6.31-rc1 (June 2009), this 16-year-old off-by-one error lacks null terminator validation during whitespace stripping. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Technical ContextAI

The vulnerability resides in the ALSA (Advanced Linux Sound Architecture) snd_usb_caiaq driver's init_card function, which handles initialization of USB audio devices from Native Instruments. The flaw is a classic off-by-one error in string handling introduced by commit bafeee5b1f8d. During card initialization, the code strips whitespace from USB product names into a 16-byte stack buffer (card->id). The loop condition checks len < sizeof(card->id) (16 bytes) without reserving space for the null terminator. When a USB device reports a product name with 16 or more non-space characters-common with multibyte UTF-8 encoded names-the buffer fills completely without null termination. Subsequently, snd_card_set_id() calls copy_valid_id_string(), which iterates using while (*nid && ...) and reads beyond the buffer boundary into adjacent stack memory. This manifests as CWE-125 (Out-of-bounds Read), detected by KASAN (Kernel Address Sanitizer) at sound/core/init.c:696. The vulnerability affects kernel.org CPE streams tracking mainline and stable branches.

RemediationAI

Upgrade to patched kernel versions appropriate for your distribution's stable branch: 5.10.253 or later for 5.10.x LTS, 5.15.203+ for 5.15.x LTS, 6.1.168+ for 6.1.x LTS, 6.6.134+ for 6.6.x stable, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+ for mainline. Primary fix commit 02d9c5b0b555 changes loop bound from sizeof(card->id) to sizeof(card->id)-1, ensuring null terminator preservation. Vendor advisories and patches available at kernel.org stable tree references listed above. If immediate patching is not feasible, implement compensating controls: (1) Blacklist the snd_usb_caiaq kernel module via modprobe configuration (blacklist snd_usb_caiaq in /etc/modprobe.d/) if Native Instruments USB audio devices are not required-this completely eliminates attack surface but disables legitimate hardware functionality; (2) Restrict physical USB port access and disable USB device auto-loading for non-administrative users via udev rules-adds operational complexity in desktop environments; (3) In virtualized environments, disable USB passthrough for untrusted guest VMs-may impact legitimate USB audio workflows. Monitor kernel logs for KASAN stack-out-of-bounds warnings in snd_card_set_id_no_lock as potential exploitation indicators. Note that compensating controls trading functionality for security may not be acceptable in audio production environments where this hardware is commonly deployed.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy