Out-of-Bounds Write Vulnerability in Linux Kernel ALSA USB-Audio
CVE-2026-43279

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-43279?

A vulnerability has been identified in the ALSA USB-audio component of the Linux kernel. This issue arises when handling playback URB packets in implicit framebuffer mode. The system incorrectly assumes that incoming data packets conform to the expected buffer size. In scenarios where the setup between capture and playback streams differs, such as limitations imposed by USB core maximum packet size, this mismatch can lead to out-of-bounds writes, potentially resulting in a crash. To mitigate this, a sanity check has been implemented at the prepare_silent_urb() function to ensure the transfer buffer size is validated before proceeding with data copying. However, it's important to note that this fix does not resolve the underlying cause of the playback errors.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 780dc57794a217b49994fa1d0b42465fb10a00aa

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8995fc0e00b3fee9bf7ecb3d836b635b730c1049

References

https://git.kernel.org/stable/c/fa01973bb79d70c4736b6a4b2...

https://git.kernel.org/stable/c/780dc57794a217b49994fa1d0...

https://git.kernel.org/stable/c/8995fc0e00b3fee9bf7ecb3d8...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43279 Data

JSON