Skip to main content

Linux Kernel EUVDEUVD-2026-32811

| CVE-2026-46184 MEDIUM
Divide By Zero (CWE-369)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-42xg-w685-8874
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local USB access with low-privilege account required; impact is solely a kernel crash with no confidentiality or integrity loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 03:09 vuln.today
CVSS changed
Jun 11, 2026 - 03:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

sound: ua101: fix division by zero at probe

Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().

USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.

AnalysisAI

Division by zero in the Linux kernel's ua101 USB audio driver allows a local attacker to crash the kernel by presenting a crafted USB device with a malformed audio class descriptor. The ua101 driver's detect_usb_format() function fails to validate the bNrChannels field before use, so a device reporting bNrChannels = 0 causes frame_bytes to become zero, which is subsequently used as a divisor in both playback_urb_complete() and capture_urb_complete() URB handlers, triggering a fatal kernel panic. No public exploit has been identified and EPSS is 0.02% (5th percentile), but the vulnerability affects multiple supported stable branches and patches are available across all of them.

Technical ContextAI

The ua101 driver (sound/usb/ua101.c) supports Edirol/Roland UA-101 USB audio interfaces and processes USB Audio Class-specific descriptors during device probe. CWE-369 (Divide By Zero) is the root cause: the detect_usb_format() function reads the bNrChannels field from the USB audio class-specific descriptor and derives frame_bytes from it without any bounds or sanity check. USB core deliberately does not validate class-specific descriptor fields - that responsibility falls on each driver. When a device provides bNrChannels = 0, frame_bytes evaluates to zero and is later used as a denominator in the URB (USB Request Block) completion handlers for both playback and capture audio paths, causing an unrecoverable divide-by-zero exception. The vulnerability was introduced in commit 63978ab3e3e963db28093b53bb4598f2702e1ad7 and affects all descendent kernel versions up to the fixed stable releases. CPE data identifies affected products as cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Update to a patched kernel version: Linux 6.6.140, 6.12.88, 7.0.7, or 7.1-rc2, all of which include the missing bNrChannels sanity check in detect_usb_format(). Individual fix commits are available at git.kernel.org/stable/c/ under the following hashes: 0ff2b713f406, 593dd7e6c890, 6162e8212e88, d1f73f169c10, f1862dbf0908, 66d9c2ed081f, aae1498c59f4, and e02897c5b041. If immediate kernel upgrade is not feasible, blacklisting the snd-ua101 module (echo 'blacklist snd-ua101' >> /etc/modprobe.d/blacklist.conf && modprobe -r snd-ua101) prevents the driver from loading entirely - note this disables Edirol/Roland UA-101 audio interfaces on the system. Alternatively, implementing udev rules to restrict USB audio device binding to pre-approved vendor/product IDs reduces exposure without fully disabling USB audio. Physical USB port locking or disabling unused USB ports in BIOS/UEFI is an additional hardening layer with no software-side trade-off.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy