Home

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333

PUBLISHED Reserved 2026-01-13 | Published 2026-02-14 | Updated 2026-02-14 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 62932d9ed639a9fa71b4ac1a56766a4b43abb7e4
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ef5749ef8b307bf8717945701b1b79d036af0a15
affected

Default status
affected

6.18.10 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/62932d9ed639a9fa71b4ac1a56766a4b43abb7e4

git.kernel.org/...c/ef5749ef8b307bf8717945701b1b79d036af0a15

cve.org (CVE-2026-23208)

nvd.nist.gov (CVE-2026-23208)

Download JSON