HIGH
alsa ctxfi Mixer OOB
CVE-2026-23076
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code causes OOB access at those functions. | UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 | index 8 is out of range for type 'unsigned char [8]' After the analysis, the cause was found to be the lack of the proper (re-)initialization of conj field. This patch addresses those OOB accesses by adding the proper initializations of the loop indices.
02KernelScan AI Analysis
Risk summary
An attacker with local access to a system with Creative Sound Blaster X-Fi audio hardware could potentially trigger out-of-bounds memory reads by performing audio mixer operations. This could lead to information disclosure or system instability, though exploitation requires specific hardware and local access.
Vulnerability analysis
Summary: The ctxfi audio driver contains an out-of-bounds array access vulnerability in its mixer handling code. The `conj` field is used as a loop index in callback functions `amixer_index()` and `sum_index()`, but was not properly initialized, allowing it to contain arbitrary values that could exceed array bounds.
Root Cause: The `conj` field in `amixer` and `sum` resource structures was not initialized to 0 during resource initialization. This field is used as an array index in callback functions, and uninitialized values could exceed the bounds of 8-element arrays, causing out-of-bounds reads.
Attack Surface: This vulnerability affects systems with Creative Sound Blaster X-Fi audio hardware using the ctxfi driver. It requires local access to trigger audio mixer operations that would exercise the vulnerable code paths. The vulnerability was discovered through fuzzing, indicating it may be reachable through normal audio operations.
Fix Mechanism: The patch adds explicit initialization of the `conj` field to 0 in both `amixer_rsc_init()` and `sum_rsc_init()` functions. This ensures the field starts with a valid array index value and prevents out-of-bounds access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.249 | 6524205326e0 |
| 5.15 | 5.15.199 | afca7ff5d5d4 |
| 6.1 | 6.1.162 | 8c1d09806e14 |
| 6.12 | 6.12.68 | d77ba72558cd |
| 6.18 | 6.18.8 | 873e2360d247 |
| 6.6 | 6.6.122 | a8c42d11b052 |
| mainline | 6.19 | 61006c540cbd |