{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23318", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.995Z", "datePublished": "2026-03-25T10:27:12.884Z", "dateUpdated": "2026-03-25T10:27:12.884Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:12.884Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3. This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely. A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/usb/validate.c"], "versions": [{"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "d3904ca40515272681ae61ad6f561c24f190957f", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "1e5753ff4c2e86aa88516f97a224c90a3d0b133e", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "499ffd15b00dc91ac95c28f76959dfb5cdcc84d5", "status": "affected", "versionType": "git"}, {"version": "57f8770620e9b51c61089751f0b5ad3dbe376ff2", "lessThan": "54f9d645a5453d0bfece0c465d34aaf072ea99fa", "status": "affected", "versionType": "git"}, {"version": "17821e2fb16752f5d363fb5c3f8aab4df41b9bcc", "status": "affected", "versionType": "git"}, {"version": "bf74a46aebb1b5ab5e5f25bafa4ae0a453ba813a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/usb/validate.c"], "versions": [{"version": "5.4", "status": "affected"}, {"version": "0", "lessThan": "5.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "7.0-rc2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.84"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f"}, {"url": "https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc"}, {"url": "https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f"}, {"url": "https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e"}, {"url": "https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5"}, {"url": "https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa"}], "title": "ALSA: usb-audio: Use correct version for UAC3 header validation", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3. This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely. A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section."}], "id": "CVE-2026-23318", "lastModified": "2026-03-25T11:16:28.390", "metrics": {}, "published": "2026-03-25T11:16:28.390", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}