Skip to main content

Linux Kernel EUVDEUVD-2026-32399

| CVE-2026-46018 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fgw2-9pf4-66rf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector because exploitation requires physical USB device attachment; PR:L as any user can insert a USB device; pure availability impact from mutex contention during probe with no confidentiality or integrity consequence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 16:00 vuln.today
CVSS changed
Jun 16, 2026 - 15:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES

parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while probe still holds register_mutex.

Stop the whole parse once the cap is reached and return the number of rates collected so far.

AnalysisAI

Availability degradation in the Linux kernel ALSA USB audio subsystem allows a local attacker with a crafted UAC2 USB audio device to trigger an unbounded parsing loop that holds register_mutex while repeatedly flooding the kernel log with error messages. Affected systems running snd-usb-audio on multiple stable kernel branches from 3.x through 7.0 are exposed to denial-of-service via mutex contention during USB device probe. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects minimal threat actor interest; no CISA KEV listing exists.

Technical ContextAI

The vulnerability resides in parse_uac2_sample_rate_range() within the Linux kernel ALSA USB audio driver (drivers/usb/audio, CONFIG_SND_USB_AUDIO). USB Audio Class 2.0 (UAC2) devices report supported sample rates via RANGE responses structured as triplets (MIN, MAX, RES). The function correctly caps enumerated rates at MAX_NR_RATES, but the original break statement only exits the inner per-triplet loop. The outer triplet-iteration loop continues processing any additional malformed triplets beyond the cap, repeatedly emitting 'invalid uac2 rates' kernel log messages - all while the probe path holds register_mutex. This mutex retention during excess parsing creates contention for any other code path requiring register_mutex, causing kernel availability impact. No CWE was formally assigned, but the root cause class is a loop-control logic error (analogous to CWE-670: Always-Incorrect Control Flow Implementation). CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers all affected branches.

RemediationAI

The primary fix is to upgrade to a patched kernel version. Confirmed patched releases per EUVD are 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. Fix commits are available across multiple stable kernel branches at git.kernel.org: 3c318f97dcc50b2e0556a1813bd6958678e881fd, 4d7893a137eadb6163ea4298bf67d74b811d76ef, a0b78639ef09b2e77974a3de3b1c07f6de3c5e56, ab5ba9fd138758ddc50222264ff246b31e397abf, ba036305323814ec1f8655313b2fa6a0f7048716, and related commits (see https://git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fd). For systems where kernel updates are not immediately feasible, blacklisting the snd-usb-audio module via /etc/modprobe.d/ will prevent the vulnerable code path from executing entirely - note this disables all USB audio functionality as a trade-off. Alternatively, USB device allowlisting via udev rules (restricting enumeration to known-good VID/PID pairs) prevents untrusted UAC2 devices from triggering the probe path without disabling USB audio globally. Organizations with physical port lockdown policies (USB port blockers, endpoint management) have inherently limited exposure.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy