HIGH
alsa USB Silencing OOB
CVE-2026-43279
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the buffer size. But when the setup in the capture stream differs from the playback stream (e.g. due to the USB core limitation of max packet size), such an inconsistency may lead to OOB writes to the buffer, resulting in a crash. For addressing it, add a sanity check of the transfer buffer size at prepare_silent_urb(), and stop the data copy if the received data overflows. Also, report back the transfer error properly from there, too. Note that this doesn't fix the root cause of the playback error itself, but this merely covers the kernel Oops.
02KernelScan AI Analysis
Risk summary
Local users with access to USB audio devices can trigger a kernel crash through out-of-bounds buffer writes. The vulnerability occurs when USB audio streams have mismatched configurations between capture and playback, causing the kernel to write beyond allocated buffer boundaries during audio silencing operations.
Vulnerability analysis
The root cause is in prepare_silent_urb() where the code blindly assumes received USB audio packets fit within the allocated buffer size without validation. When capture and playback streams have different configurations (due to USB core max packet size limitations), the function can write beyond buffer boundaries while silencing playback URB packets in implicit feedback mode. The fix adds bounds checking by verifying that offs + length + extra does not exceed ctx->buffer_size before performing memory operations, and properly handles error conditions by returning appropriate error codes instead of proceeding with unsafe writes.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.202 | fa01973bb79d |
| 6.1 | 6.1.165 | 780dc57794a2 |
| 6.12 | 6.12.75 | fc9e5af60dc1 |
| 6.18 | 6.18.16 | 6af16f1b8649 |
| 6.19 | 6.19.6 | ccaf9296763b |
| 6.6 | 6.6.128 | 8995fc0e00b3 |
| mainline | 7.0 | fba2105a157f |