HIGH Published 2026-02-04

ALSA Scarlett2 Config Buffer Overflow

CVE-2026-23078

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times treating each element as u16 (2 bytes). This causes the loop to access `count * 2` bytes when the buffer only has `size` bytes allocated. Fix by checking the element size (config_item->size) instead of the total buffer size. This ensures the endianness conversion matches the actual element type.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A buffer overflow vulnerability in the ALSA Scarlett2 USB audio driver could allow an attacker with physical access to cause memory corruption by connecting a malicious USB audio device. This could potentially lead to system crashes, privilege escalation, or arbitrary code execution in kernel context.

Affectedsound/usb/mixer_scarlett2.c

Vulnerability analysis

Root Cause: The scarlett2_usb_get_config() function contains a logic error in endianness conversion where it checks the total buffer size (`size`) instead of the element size (`config_item->size`) to determine data type. When `count > 1`, the code incorrectly treats the total buffer size as the element size, causing the endianness conversion loop to access `count * 2` bytes when only `size` bytes are allocated, resulting in a buffer overflow.

Attack Surface: This vulnerability affects USB audio devices, specifically Scarlett2 audio interfaces. It requires physical access to connect a malicious USB device or the ability to trigger the vulnerable code path through legitimate USB audio operations. The attack surface is local and requires the ability to interact with USB subsystem.

Fix Mechanism: The patch corrects the conditional checks by replacing `size == 2` with `config_item->size == 16` and `size == 4` with `config_item->size == 32`. This ensures the endianness conversion logic matches the actual element type rather than the total buffer size, preventing out-of-bounds memory access during the conversion loop.

03Fix Versions

Branch	Fixed in	Patch commit
5.15	5.15.199	`d5e80d1f97ae`
6.1	6.1.162	`51049f6e3f05`
6.12	6.12.68	`27049f50be9f`
6.18	6.18.8	`31a3eba5c265`
6.6	6.6.122	`91a756d22f04`
mainline	6.19	`6f5c69f72e50`