HIGH Published 2026-03-25

usb-audio UAC3 Header Validation Bypass

CVE-2026-23318

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 header could exploit this to cause out-of-bounds reads when the driver later accesses unvalidated descriptor fields. The bug was introduced in the same commit as the recently fixed UAC3 feature unit sub-type typo, and appears to be from the same copy-paste error when the UAC3 section was created from the UAC2 section.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A malicious USB audio device could provide truncated or malformed UAC3 header descriptors that bypass validation, potentially causing the kernel to read beyond allocated memory boundaries when accessing descriptor fields. This could lead to information disclosure or system crashes when USB audio devices are connected.

Affectedsound/usb/validate.c

Vulnerability analysis

Root Cause: The UAC3 audio control header descriptor validator entry was incorrectly configured with UAC_VERSION_2 instead of UAC_VERSION_3. This caused the validation logic to never match UAC3 devices (which have protocol == UAC_VERSION_3), allowing their header descriptors to bypass validation entirely.

Attack Surface: Physical USB access is required to connect a malicious USB audio device. The vulnerability affects systems that accept USB audio devices and process UAC3 (USB Audio Class 3) descriptors. No network access or special privileges are needed beyond the ability to connect USB devices.

Fix Mechanism: The patch corrects the version constant from UAC_VERSION_2 to UAC_VERSION_3 in the validators table entry for UAC3 AC header descriptors. This ensures that UAC3 devices will properly match the validator and have their descriptors validated before use.

03Fix Versions

Branch	Fixed in	Patch commit
4.20	4.20	`82a7d0a1b887`
5.10	5.10.253	`0dcd1ed96c03`
5.15	5.15.203	`a0c6ae2ea845`
5.4	5.4	`8307d93e63d5`
6.1	6.1.167	`d3904ca40515`
6.12	6.12.77	`499ffd15b00d`
6.18	6.18.17	`54f9d645a545`
6.19	6.19.7	—
6.6	6.6.130	`1e5753ff4c2e`
mainline	7.0	—