Skip to main content

Linux Kernel CVE-2026-43279

| EUVDEUVD-2026-27677 HIGH
Out-of-bounds Write (CWE-787)
2026-05-06 Linux GHSA-2hw8-5267-5p9j
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:45 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:29 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Add sanity check for OOB writes at silencing

At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the buffer size. But when the setup in the capture stream differs from the playback stream (e.g. due to the USB core limitation of max packet size), such an inconsistency may lead to OOB writes to the buffer, resulting in a crash.

For addressing it, add a sanity check of the transfer buffer size at prepare_silent_urb(), and stop the data copy if the received data overflows. Also, report back the transfer error properly from there, too.

Note that this doesn't fix the root cause of the playback error itself, but this merely covers the kernel Oops.

AnalysisAI

Out-of-bounds buffer writes in Linux kernel ALSA USB audio subsystem allow local authenticated attackers to crash the kernel or potentially achieve privilege escalation. The flaw occurs during implicit feedback mode playback when stream configurations mismatch between capture and playback, causing the prepare_silent_urb() function to write beyond allocated buffer boundaries. Affects all Linux kernel versions from initial commit 1da177e4c3f4 through multiple stable branches; vendor patches available for 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploits or active exploitation confirmed.

Technical ContextAI

This vulnerability resides in the Advanced Linux Sound Architecture (ALSA) USB audio driver, specifically in the implicit feedback synchronization mechanism used for USB audio playback. Implicit feedback mode synchronizes playback timing with capture stream timing to prevent audio drift. The prepare_silent_urb() function pre-fills USB Request Blocks (URBs) with silence before actual audio playback begins. When the capture stream configuration differs from playback (often due to USB core's maximum packet size constraints enforced per endpoint), the code assumes received packet sizes match allocated buffer dimensions without validation. This assumption failure creates a classic buffer overflow condition where transfer data exceeds destination buffer capacity. The affected CPE strings indicate all Linux kernel builds since the initial 2.6.12-rc2 commit (1da177e4c3f4) are vulnerable, spanning nearly two decades of kernel development across consumer, enterprise, and embedded distributions.

RemediationAI

Upgrade to patched Linux kernel versions: 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or mainline 7.0 and later. Distribution-specific patches available through normal update channels (yum/dnf update kernel for RHEL/Fedora, apt upgrade linux-image for Debian/Ubuntu, zypper update kernel-default for SUSE). Verify applied patch using uname -r and compare against vendor security advisories. For systems where immediate patching is infeasible, implement compensating controls: disable ALSA implicit feedback mode by blacklisting the snd-usb-audio module parameter (echo 'options snd-usb-audio implicit_fb=0' > /etc/modprobe.d/usb-audio-workaround.conf, then reboot), though this may cause audio drift issues with certain USB audio interfaces requiring precise synchronization. Alternatively, restrict USB device access via udev rules to prevent untrusted users from attaching USB audio devices (create rules blocking /dev/snd/* access for non-audio group members). These mitigations trade audio quality/functionality for security and should only be temporary measures pending kernel update. Upstream fix references: https://git.kernel.org/stable/c/8995fc0e00b3fee9bf7ecb3d836b635b730c1049 (mainline), https://git.kernel.org/stable/c/fba2105a157fffcf19825e4eea498346738c9948, https://git.kernel.org/stable/c/780dc57794a217b49994fa1d0b42465fb10a00aa, https://git.kernel.org/stable/c/fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f, https://git.kernel.org/stable/c/6af16f1b8649df4c00d6ced924bdd8b72c885b6a, https://git.kernel.org/stable/c/ccaf9296763be4f76b59e2cac377006016c34435, https://git.kernel.org/stable/c/fc9e5af60dc199051dc202ae78e1fe76a9977a5e.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy