CVE-2026-31778

Published: May 2, 2026Last modified: May 2, 2026

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix stack out-of-bounds read in init_card The loop creates a whitespace-stripped copy of the card shortname where `len < sizeof(card->id)` is used for the bounds check. Since sizeof(card->id) is 16 and the local id buffer is also 16 bytes, writing 16 non-space characters fills the entire buffer, overwriting the terminating nullbyte. When this non-null-terminated string is later passed to snd_card_set_id() -> copy_valid_id_string(), the function scans forward with `while (*nid && ...)` and reads past the end of the stack buffer, reading the contents of the stack. A USB device with a product name containing many non-ASCII, non-space characters (e.g. multibyte UTF-8) will reliably trigger this as follows: BUG: KASAN: stack-out-of-bounds in copy_valid_id_string sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c sound/core/init.c:718 The off-by-one has been present since commit bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1), which first introduced this whitespace-stripping loop. The original code never accounted for the null terminator when bounding the copy. Fix this by changing the loop bound to `sizeof(card->id) - 1`, ensuring at least one byte remains as the null terminator.

Severity score breakdown

Parameter	Value
Base score	7.1
Attack Vector	LOCAL
Attack complexity	LOW
Privileges required	LOW
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity impact	NONE
Availability impact	HIGH
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	linux-lts	Fixed (6.1.168-r0)
	25 LTS	linux-lts	Fixed (6.12.81-r0)
	Stream	linux-lts	Fixed (6.12.85-r0)

CVE-2026-31778

Description

Severity score breakdown

Status

References