HIGH Published 2026-02-14

alsa USB Audio Frame Overflow

CVE-2026-23208

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker with local access can trigger a buffer overflow in the USB audio subsystem by connecting a malicious USB audio device or manipulating audio parameters. This could lead to kernel memory corruption, potentially allowing privilege escalation or system crashes. The vulnerability affects systems that process USB audio devices.

Affectedsound/usb/pcm.c

Vulnerability analysis

Root Cause: The vulnerability occurs in the USB audio PCM playback code where the number of frames calculated for a USB Request Block (URB) can exceed the allocated buffer size. Specifically, when preparing playback URBs, the code calculates frames as `packsize[0] * packets` without checking if this exceeds the URB buffer size of `maxpacksize * packets`. In the reported case, with maxpacksize=40, packets=6, packsize[0]=22, and packsize[1]=23, the calculated frames (264) exceeded the allocated buffer size (240), leading to an out-of-bounds write.

Attack Surface: This vulnerability is triggered through USB audio device interactions, requiring physical access to connect a malicious USB audio device or the ability to control USB audio parameters through userspace ALSA interfaces. The attack requires local access and the ability to send audio data to ALSA PCM playback streams with crafted parameters.

Fix Mechanism: The patch adds a bounds check in the frame calculation loop by modifying the condition from `if (counts < 0)` to `if (counts < 0 || frames + counts >= ep->max_urb_frames)`. This prevents the accumulation of frames from exceeding the maximum URB frame limit, stopping the loop before an overflow occurs.

03Fix Versions

Branch	Fixed in	Patch commit
4.14	4.14.188	`282aba56713b`
4.19	4.19.132	`c4dc012b027c`
4.4	4.4.230	`480a1490c595`
4.9	4.9.230	`ab0b5e92fc36`
5.4	5.4.51	`e0ed5a36fb3a`
5.7	5.7.8	`d67dde02049e`
6.18	6.18.10	`62932d9ed639`
mainline	6.19	`ef5749ef8b30`