Skip to main content

Linux Kernel CVE-2026-46049

| EUVDEUVD-2026-32431 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cvxr-f657-mx22
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local audio device access requires low-privilege group membership (AV:L, PR:L); only a kernel hang results, with no confidentiality or integrity impact (C:N, I:N, A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:11 vuln.today
CVSS changed
Jun 16, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: ctxfi: Add fallback to default RSR for S/PDIF

spdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR for the MSR calculation loop. However, pll_rate is only updated in atc_pll_init() and not in hw_pll_init(), so it remains 0 after the card init.

When spdif_passthru_playback_setup() skips atc_pll_init() for 32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin indefinitely.

Add fallback to use atc->rsr when atc->pll_rate is 0. This reflects the hardware state, since hw_card_init() already configures the PLL to the default RSR.

AnalysisAI

Infinite loop denial-of-service in the Linux kernel ALSA ctxfi audio driver allows a local low-privileged user to hang the kernel by triggering S/PDIF passthrough playback at 32000 Hz on Creative Sound Blaster X-Fi hardware. The root cause is an uninitialized pll_rate field that causes a resource-calculation loop to never exit, consuming CPU indefinitely and degrading or halting system availability. No public exploit exists and the EPSS score of 0.02% (5th percentile) confirms negligible real-world exploitation pressure; the vulnerability is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in the ctxfi ALSA subsystem driver (Creative Sound Blaster X-Fi) within the Linux kernel sound stack. The function spdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR (Reference Sample Rate) when iterating through MSR (Master Sample Rate) descriptor combinations. The field pll_rate is only set in atc_pll_init() and not in the alternative hw_pll_init() path, leaving it at zero after normal hardware card initialization. When spdif_passthru_playback_setup() processes a 32000 Hz stream, it bypasses atc_pll_init(), so the loop condition (rsr * desc.msr) permanently evaluates to zero, creating an unreachable exit condition (effectively CWE-835, Loop with Unreachable Exit Condition). The fix adds a fallback to use atc->rsr when atc->pll_rate is zero, reflecting the actual hardware PLL state set by hw_card_init(). Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable branches.

RemediationAI

Upgrade to a patched kernel version: Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 or later, per EUVD-confirmed fix data. Upstream commits are available at https://git.kernel.org/stable/c/30f9494c6f2b53a78822cfb653ffbb1d092d44c8 and the sibling stable-branch commits listed in references. If an immediate kernel upgrade is not feasible, blacklisting the ctxfi module eliminates the vulnerable code path entirely with no impact on non-Creative audio hardware: add 'blacklist snd-ctxfi' to /etc/modprobe.d/ and reboot. As a narrower compensating control, restricting audio device node access via udev rules or group membership (removing non-essential users from the 'audio' group) prevents unprivileged triggering of the 32000 Hz S/PDIF passthrough path, though this affects all audio use for those users. Distribution vendors (Debian, Ubuntu, RHEL, SUSE) are expected to backport the fix through standard security update channels.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46049 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy