Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AV:L retained for USB emulation applicability; C:L added over NVD C:N to reflect out-of-bounds read potential for adjacent kernel memory exposure per Information Disclosure tag.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
The USB MIDI 2.0 endpoint parser has the same descriptor walking pattern as the legacy MIDI parser. It validates bLength against bNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the remaining bytes in the endpoint-extra scan.
A malformed device can therefore make later baAssoGrpTrmBlkID[] reads consume bytes past the walked descriptor.
Reject zero-length and overlong descriptors while walking endpoint extras.
AnalysisAI
Out-of-bounds descriptor read in the Linux kernel ALSA USB MIDI 2.0 subsystem allows a physically proximate or low-privileged local attacker to crash the kernel by presenting a malformed USB audio device with crafted MIDI 2.0 endpoint descriptors. The USB MIDI 2.0 endpoint parser validates bLength against bNumGrpTrmBlock but omits validation against remaining bytes in the endpoint-extra scan, allowing baAssoGrpTrmBlkID[] reads to advance past the descriptor buffer boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to present a USB device advertising a MIDI 2.0 audio class interface with malformed endpoint extra descriptors - specifically, a descriptor where bLength is crafted so that baAssoGrpTrmBlkID[] reads extend beyond the remaining bytes in the endpoint-extra scan window. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.5 Medium (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local access with low privileges producing an availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with physical access to a Linux workstation or audio production machine constructs a USB device - using commodity hardware such as a Raspberry Pi Zero running USB gadget mode - programmed to advertise a USB MIDI 2.0 class interface with endpoint extra descriptors where bLength is crafted to mismatch the remaining scan bytes. Upon insertion, the kernel's ALSA MIDI 2.0 parser walks the descriptors and reads past the endpoint buffer, triggering a kernel oops or panic and causing a system crash. … |
| Remediation | The primary fix is to upgrade to a patched Linux kernel version from one of the confirmed stable series: 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1, as documented in EUVD-2026-38832 and the git.kernel.org stable commits. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38832
GHSA-885g-75hv-6jcq