HIGH
alsa SPDIFI1 OOB
CVE-2026-31776
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix missing SPDIFI1 index handling SPDIF1 DAIO type isn't properly handled in daio_device_index() for hw20k2, and it returned -EINVAL, which ended up with the out-of-bounds array access. Follow the hw20k1 pattern and return the proper index for this type, too.
02KernelScan AI Analysis
Risk summary
Systems with Creative X-Fi audio hardware are vulnerable to a kernel denial of service when the SPDIF1 digital audio interface is used. The daio_device_index() function returns an invalid value for the SPDIFI1 type on hw20k2, leading to an out-of-bounds array access that causes a kernel oops or panic.
Vulnerability analysis
The daio_device_index() function in the ALSA ctxfi driver is missing a case for the SPDIFI1 DAIO type when handling hw20k2 hardware. It returns -EINVAL instead of a valid array index, and this invalid value is subsequently used as an array index, resulting in an out-of-bounds access. The fix adds the missing case to return index 1 for SPDIFI1, matching the hw20k1 implementation. The invalid index causes a page fault on access, resulting in a kernel crash. Exploitation requires local access to the system and the presence of the affected Creative X-Fi hardware.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.12 | 950decf59d4e |
| mainline | 7.0 | b045ab3dff97 |