{ "threat_severity" : "Moderate", "public_date" : "2026-02-14T00:00:00Z", "bugzilla" : { "description" : "kernel: ALSA: usb-audio: Prevent excessive number of frames", "id" : "2439906", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439906" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H", "status" : "draft" }, "cwe" : "CWE-805", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nALSA: usb-audio: Prevent excessive number of frames\nIn this case, the user constructed the parameters with maxpacksize 40\nfor rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer\nsize for each data URB is maxpacksize * packets, which in this example\nis 40 * 6 = 240; When the user performs a write operation to send audio\ndata into the ALSA PCM playback stream, the calculated number of frames\nis packsize[0] * packets = 264, which exceeds the allocated URB buffer\nsize, triggering the out-of-bounds (OOB) issue reported by syzbot [1].\nAdded a check for the number of single data URB frames when calculating\nthe number of frames to prevent [1].\n[1]\nBUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nWrite of size 264 at addr ffff88804337e800 by task syz.0.17/5506\nCall Trace:\ncopy_to_urb+0x261/0x460 sound/usb/pcm.c:1487\nprepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611\nprepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333", "A heap buffer overflow vulnerability was found in the USB audio driver. When user-supplied audio parameters result in a frame count larger than the allocated URB buffer size, the copy_to_urb() function writes beyond the buffer boundary, causing an out-of-bounds write." ], "statement" : "Exploitation requires the ability to configure USB audio device parameters, which typically needs access to the audio device. A malicious local user could potentially craft parameters to trigger the overflow. The OOB write could lead to kernel memory corruption or crash.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Under investigation", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23208\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23208\nhttps://lore.kernel.org/linux-cve-announce/2026021439-CVE-2026-23208-cc9e@gregkh/T" ], "name" : "CVE-2026-23208", "csaw" : false }