CVE-2026-52963

ANALYSIS PENDING

ALSA: usb-audio: Bound MIDI endpoint descriptor scans

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Bound MIDI endpoint descriptor scans snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.

Scores

EPSS 0.0018
EPSS Percentile 8.2%

Details

Status published
Products (35)
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 5.7.0 - 5.10.258linux
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.2.0 - 6.6.141linux
linux/Kernel 6.7.0 - 6.12.91linux
Linux/Linux < 5.7
Linux/Linux 0868bc5654c07628c421547f0821650a8c2cb8f3
Linux/Linux 4.14.200 - 4.15
... and 25 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026