Skip to main content

Linux Kernel EUVDEUVD-2026-32471

| CVE-2026-46088 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r965-2mvq-7ghh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AV:L and PR:L for required local low-privilege access; AC:H because exploitation requires the specific Clang+CONFIG_FORTIFY_SOURCE build configuration; A:H for kernel panic.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:35 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()

snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0).

While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined.

Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer.

Found by kernel fuzz testing through Xiaomi Smartphone.

AnalysisAI

Kernel panic via exhausted buffer in the ALSA control subsystem affects Linux kernel builds compiled with CONFIG_FORTIFY_SOURCE and Clang, allowing a local low-privileged user to crash the system. The function snd_ctl_elem_init_enum_names() fails to guard against a zero buf_len before invoking strnlen(), and Clang's fortified strnlen fires a BRK exception when it cannot determine the object size of the advanced pointer p inside the loop - panicking the kernel before the intended error-path return. Discovered through kernel fuzz testing on Xiaomi Smartphone hardware; no public exploit and no KEV listing; EPSS is 0.02%.

Technical ContextAI

The affected code lives in the ALSA (Advanced Linux Sound Architecture) control layer (sound/core/control.c). snd_ctl_elem_init_enum_names() iterates a packed buffer of null-terminated strings to populate enum control element names, advancing pointer p and decrementing buf_len each iteration. The root cause is a missing exit guard: when buf_len reaches zero before all items are consumed, the code passes buf_len=0 to strnlen(). Under CONFIG_FORTIFY_SOURCE, Clang's fortified strnlen performs a __builtin_dynamic_object_size check on p before evaluating the return value; because Clang loses track of p's object size through the loop, this check fires a BRK instruction, raising a kernel panic. GCC-compiled kernels or kernels without CONFIG_FORTIFY_SOURCE handle strnlen(p, 0) gracefully (return 0, hit existing name_len==0 error path). No CWE is formally assigned; the closest applicable class is an off-by-one or missing bounds-check (CWE-193/CWE-119). CPE: cpe:2.3:o:linux:linux_kernel.

RemediationAI

Update the Linux kernel to a patched stable release: 6.6.140 or later for 6.6.x users, 6.12.86 or later for 6.12.x users, 7.0.4 or later for 7.0.x users, or 6.18.27 or later for 6.18.x users. Patch commits are indexed at https://git.kernel.org/stable/c/1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0 and sibling commits listed in references. For systems that cannot be patched immediately, restrict local user access to ALSA control interfaces by removing non-essential users from the audio group, applying seccomp or AppArmor/SELinux profiles that deny ioctl access to /dev/snd/controlC* devices; this limits who can trigger the vulnerable code path. Disabling CONFIG_FORTIFY_SOURCE is not a recommended workaround as it removes broader kernel hardening protections. No vendor advisory URL beyond the stable kernel git tree has been identified.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy