Skip to main content

Linux Kernel EUVDEUVD-2026-38832

| CVE-2026-52964 MEDIUM
2026-06-24 Linux GHSA-885g-75hv-6jcq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

AV:L retained for USB emulation applicability; C:L added over NVD C:N to reflect out-of-bounds read potential for adjacent kernel memory exposure per Information Disclosure tag.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 14, 2026 - 16:24 vuln.today
CVSS changed
Jul 14, 2026 - 16:22 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:28 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:28 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans

The USB MIDI 2.0 endpoint parser has the same descriptor walking pattern as the legacy MIDI parser. It validates bLength against bNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the remaining bytes in the endpoint-extra scan.

A malformed device can therefore make later baAssoGrpTrmBlkID[] reads consume bytes past the walked descriptor.

Reject zero-length and overlong descriptors while walking endpoint extras.

AnalysisAI

Out-of-bounds descriptor read in the Linux kernel ALSA USB MIDI 2.0 subsystem allows a physically proximate or low-privileged local attacker to crash the kernel by presenting a malformed USB audio device with crafted MIDI 2.0 endpoint descriptors. The USB MIDI 2.0 endpoint parser validates bLength against bNumGrpTrmBlock but omits validation against remaining bytes in the endpoint-extra scan, allowing baAssoGrpTrmBlkID[] reads to advance past the descriptor buffer boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious USB MIDI 2.0 device with oversized descriptor
Delivery
Insert device into accessible USB port on target Linux system
Exploit
Kernel snd-usb-audio module enumerates device and walks endpoint extras
Execution
Parser reads baAssoGrpTrmBlkID[] past descriptor boundary
Impact
Kernel panic or adjacent memory exposure

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to present a USB device advertising a MIDI 2.0 audio class interface with malformed endpoint extra descriptors - specifically, a descriptor where bLength is crafted so that baAssoGrpTrmBlkID[] reads extend beyond the remaining bytes in the endpoint-extra scan window. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.5 Medium (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local access with low privileges producing an availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access to a Linux workstation or audio production machine constructs a USB device - using commodity hardware such as a Raspberry Pi Zero running USB gadget mode - programmed to advertise a USB MIDI 2.0 class interface with endpoint extra descriptors where bLength is crafted to mismatch the remaining scan bytes. Upon insertion, the kernel's ALSA MIDI 2.0 parser walks the descriptors and reads past the endpoint buffer, triggering a kernel oops or panic and causing a system crash. …
Remediation The primary fix is to upgrade to a patched Linux kernel version from one of the confirmed stable series: 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1, as documented in EUVD-2026-38832 and the git.kernel.org stable commits. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38832 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy