Skip to main content

Linux Kernel CVE-2026-46146

| EUVDEUVD-2026-32773 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pvph-jwxq-qcxw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.6 MEDIUM

Physical USB port access is the fundamental attack prerequisite; once present, no authentication is needed, so AV:P/PR:N; impact is purely availability with no data exposure.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:31 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.

Add a proper size check to abort the loop for plugging the hole.

AnalysisAI

Denial of service in the Linux kernel ALSA USB audio subsystem allows a local attacker to hang a CPU core indefinitely by presenting a malformed USB audio class v3 channel map descriptor. The affected function convert_chmap_v3() uses the descriptor field cs_desc->wLength as a loop increment without validating it, so a zero-length descriptor causes an unescapable infinite loop that saturates a CPU core until the process is killed or the system rebooted. No active exploitation has been confirmed - the vulnerability is absent from CISA KEV, and the EPSS score of 0.02% at the 5th percentile indicates negligible current attacker interest.

Technical ContextAI

The vulnerability exists in the Linux kernel's ALSA (Advanced Linux Sound Architecture) USB audio driver, within the convert_chmap_v3() function in sound/usb/. This function parses USB audio class v3 channel map descriptors received from connected USB audio peripherals. The loop that iterates over descriptor entries uses cs_desc->wLength as its step size, but the kernel failed to validate that field before using it as a loop increment. CWE-835 (Loop with Unreachable Exit Condition) precisely describes the root cause: external, attacker-controlled data from a USB device drives loop progression, and a zero value makes the loop counter never advance, trapping execution. Affected products span multiple Linux kernel stable branches per CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Apply the vendor-released kernel patch available across multiple stable branches: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, or 7.0.7 as appropriate for your distribution. Fix commits are available at https://git.kernel.org/stable/c/4e0ee232ebe3df04874125d7c7f3e6c25ea5483d, https://git.kernel.org/stable/c/fa5b19ce69067874b1413f3c2027563bae8c2cb3, and sibling commits for other stable branches. As a compensating control where immediate kernel updates are not feasible, unload or blacklist the snd-usb-audio kernel module (modprobe -r snd-usb-audio or adding it to /etc/modprobe.d/blacklist.conf) - note this disables all USB audio devices on the host, which is an acceptable trade-off on servers or kiosks that do not use USB audio. Physical USB port blockers reduce attack surface in high-risk physical access environments. Distribution-specific backported patches may be available from RHEL, Ubuntu, SUSE, and Debian security channels.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy