CVE-2026-23318 (GCVE-0-2026-23318)

Vulnerability from cvelistv5 – Published: 2026-03-25 10:27 – Updated: 2026-04-18 08:57
VLAI?
Title
ALSA: usb-audio: Use correct version for UAC3 header validation
Summary
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 header could exploit this to cause out-of-bounds reads when the driver later accesses unvalidated descriptor fields. The bug was introduced in the same commit as the recently fixed UAC3 feature unit sub-type typo, and appears to be from the same copy-paste error when the UAC3 section was created from the UAC2 section.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 82a7d0a1b88798de1a609130080ce0c65dd869e9 (git)
Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 8307d93e63d5f54ef10412d4db2dd551e920dee4 (git)
Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f (git)
Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc (git)
Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < d3904ca40515272681ae61ad6f561c24f190957f (git)
Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 1e5753ff4c2e86aa88516f97a224c90a3d0b133e (git)
Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 499ffd15b00dc91ac95c28f76959dfb5cdcc84d5 (git)
Affected: 57f8770620e9b51c61089751f0b5ad3dbe376ff2 , < 54f9d645a5453d0bfece0c465d34aaf072ea99fa (git)
Affected: 17821e2fb16752f5d363fb5c3f8aab4df41b9bcc (git)
Affected: bf74a46aebb1b5ab5e5f25bafa4ae0a453ba813a (git)
Create a notification for this product.
    Linux Linux Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.77 , ≤ 6.12.* (semver)
Unaffected: 6.18.17 , ≤ 6.18.* (semver)
Unaffected: 6.19.7 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/validate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "82a7d0a1b88798de1a609130080ce0c65dd869e9",
              "status": "affected",
              "version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
              "versionType": "git"
            },
            {
              "lessThan": "8307d93e63d5f54ef10412d4db2dd551e920dee4",
              "status": "affected",
              "version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
              "versionType": "git"
            },
            {
              "lessThan": "0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f",
              "status": "affected",
              "version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
              "versionType": "git"
            },
            {
              "lessThan": "a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc",
              "status": "affected",
              "version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
              "versionType": "git"
            },
            {
              "lessThan": "d3904ca40515272681ae61ad6f561c24f190957f",
              "status": "affected",
              "version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
              "versionType": "git"
            },
            {
              "lessThan": "1e5753ff4c2e86aa88516f97a224c90a3d0b133e",
              "status": "affected",
              "version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
              "versionType": "git"
            },
            {
              "lessThan": "499ffd15b00dc91ac95c28f76959dfb5cdcc84d5",
              "status": "affected",
              "version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
              "versionType": "git"
            },
            {
              "lessThan": "54f9d645a5453d0bfece0c465d34aaf072ea99fa",
              "status": "affected",
              "version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "17821e2fb16752f5d363fb5c3f8aab4df41b9bcc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bf74a46aebb1b5ab5e5f25bafa4ae0a453ba813a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/validate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.84",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3.  This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely.  A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-18T08:57:55.922Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/82a7d0a1b88798de1a609130080ce0c65dd869e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8307d93e63d5f54ef10412d4db2dd551e920dee4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e"
        },
        {
          "url": "https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa"
        }
      ],
      "title": "ALSA: usb-audio: Use correct version for UAC3 header validation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23318",
    "datePublished": "2026-03-25T10:27:12.884Z",
    "dateReserved": "2026-01-13T15:37:45.995Z",
    "dateUpdated": "2026-04-18T08:57:55.922Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23318",
      "date": "2026-04-25",
      "epss": "0.00013",
      "percentile": "0.02387"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23318\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-25T11:16:28.390\",\"lastModified\":\"2026-04-23T21:05:42.333\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: usb-audio: Use correct version for UAC3 header validation\\n\\nThe entry of the validators table for UAC3 AC header descriptor is\\ndefined with the wrong protocol version UAC_VERSION_2, while it should\\nhave been UAC_VERSION_3.  This results in the validator never matching\\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\\nheader descriptors to bypass validation entirely.  A malicious USB\\ndevice presenting a truncated UAC3 header could exploit this to cause\\nout-of-bounds reads when the driver later accesses unvalidated\\ndescriptor fields.\\n\\nThe bug was introduced in the same commit as the recently fixed UAC3\\nfeature unit sub-type typo, and appears to be from the same copy-paste\\nerror when the UAC3 section was created from the UAC2 section.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nALSA: usb-audio: Usar la versi\u00f3n correcta para la validaci\u00f3n del encabezado UAC3\\n\\nLa entrada de la tabla de validadores para el descriptor de encabezado AC UAC3 est\u00e1 definida con la versi\u00f3n de protocolo incorrecta UAC_VERSION_2, mientras que deber\u00eda haber sido UAC_VERSION_3. Esto resulta en que el validador nunca coincida para dispositivos UAC3 reales (protocolo == UAC_VERSION_3), haciendo que sus descriptores de encabezado omitan la validaci\u00f3n por completo. Un dispositivo USB malicioso que presente un encabezado UAC3 truncado podr\u00eda explotar esto para causar lecturas fuera de l\u00edmites cuando el controlador acceda posteriormente a campos de descriptor no validados.\\n\\nEl error fue introducido en el mismo commit que el error tipogr\u00e1fico del subtipo de unidad de caracter\u00edstica UAC3 recientemente corregido, y parece provenir del mismo error de copiar y pegar cuando la secci\u00f3n UAC3 fue creada a partir de la secci\u00f3n UAC2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.84\",\"versionEndExcluding\":\"4.20\",\"matchCriteriaId\":\"B7EACEB9-7173-47F4-83A4-AE06CE74D78B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.3.11\",\"versionEndExcluding\":\"5.4\",\"matchCriteriaId\":\"2C477253-CAE4-47C3-A62D-F5EC4455A1CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.1\",\"versionEndExcluding\":\"5.10.253\",\"matchCriteriaId\":\"5CE4B3A5-1831-420D-B001-512B8103441C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.203\",\"matchCriteriaId\":\"20DDB3E9-AABF-4107-ADB0-5362AA067045\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.167\",\"matchCriteriaId\":\"2EDC6BAF-B710-4E26-B6AA-D68922EE7B43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.130\",\"matchCriteriaId\":\"C57BB918-DF28-46B3-94F7-144176841267\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.77\",\"matchCriteriaId\":\"B3D12E00-E42D-4056-B354-BAD4903C03A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.17\",\"matchCriteriaId\":\"A5E006E4-59C7-43C1-9231-62A72219F2BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.7\",\"matchCriteriaId\":\"69245D10-0B71-485E-80C3-A64F077004D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.4:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D70AB13-37BE-4BD3-A652-10191F1642E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"512EE3A8-A590-4501-9A94-5D4B268D6138\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/82a7d0a1b88798de1a609130080ce0c65dd869e9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8307d93e63d5f54ef10412d4db2dd551e920dee4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.