Home

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333

PUBLISHED Reserved 2026-01-13 | Published 2026-02-14 | Updated 2026-05-23 | Assigner Linux

Product status

Default status
unaffected

02c56650f3c118d3752122996d96173d26bb13aa (git) before 480a1490c595a242f27493a4544b3efb21b29f6a
affected

5ef30e443e6d3654cccecec99cf481a69a0a6d3b (git) before ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41
affected

99703c921864a318e3e8aae74fde071b1ff35bea (git) before 282aba56713bbc58155716b55ca7222b2d9cf3c8
affected

2d50acd7dbd0682a56968ad9551341d7fc5b6eaf (git) before c4dc012b027c9eb101583011089dea14d744e314
affected

aba41867dd66939d336fdf604e4d73b805d8039f (git) before e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360
affected

d288dc74f8cf95cb7ae0aaf245b7128627a49bf3 (git) before d67dde02049e632ba58d3c44a164a74b6a737154
affected

f0bd62b64016508938df9babe47f65c2c727d25c (git) before 62932d9ed639a9fa71b4ac1a56766a4b43abb7e4
affected

f0bd62b64016508938df9babe47f65c2c727d25c (git) before ef5749ef8b307bf8717945701b1b79d036af0a15
affected

4.4.229 (semver) before 4.4.230
affected

4.9.229 (semver) before 4.9.230
affected

4.14.186 (semver) before 4.14.188
affected

4.19.130 (semver) before 4.19.132
affected

5.4.49 (semver) before 5.4.51
affected

5.7.6 (semver) before 5.7.8
affected

Default status
affected

5.8
affected

Any version before 5.8
unaffected

4.4.230 (semver)
unaffected

4.9.230 (semver)
unaffected

4.14.188 (semver)
unaffected

4.19.132 (semver)
unaffected

5.4.51 (semver)
unaffected

5.7.8 (semver)
unaffected

6.18.10 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/480a1490c595a242f27493a4544b3efb21b29f6a

git.kernel.org/...c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41

git.kernel.org/...c/282aba56713bbc58155716b55ca7222b2d9cf3c8

git.kernel.org/...c/c4dc012b027c9eb101583011089dea14d744e314

git.kernel.org/...c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360

git.kernel.org/...c/d67dde02049e632ba58d3c44a164a74b6a737154

git.kernel.org/...c/62932d9ed639a9fa71b4ac1a56766a4b43abb7e4

git.kernel.org/...c/ef5749ef8b307bf8717945701b1b79d036af0a15

cve.org (CVE-2026-23208)

nvd.nist.gov (CVE-2026-23208)

Download JSON