CVE-2026-23318

/* * PoC Concept: Malicious UAC3 Header Descriptor * This structure simulates a truncated UAC3 header descriptor * that would trigger the out-of-bounds read due to validation bypass. */ #include <stdint.h> struct uac3_ac_header_descriptor { uint8_t bLength; // Intentionally set to a smaller value uint8_t bDescriptorType; uint8_t bDescriptorSubtype; uint16_t bcdADC; uint8_t bCategory; uint16_t wTotalLength; uint32_t bmControls; // Accessing this may go OOB if bLength is small } __attribute__((packed)); // Example of how a malicious device might define the descriptor struct uac3_ac_header_descriptor malicious_desc = { .bLength = 0x08, // Truncated length, actual size should be larger to cover fields .bDescriptorType = 0x24, .bDescriptorSubtype = 0x01, .bcdADC = 0x0300, // UAC3.00 .bCategory = 0x00, .wTotalLength = 0x0010, .bmControls = 0x00000000 }; /* * Note: Triggering this vulnerability requires a physical USB device * emulating this descriptor structure or a modified kernel module. */

{"cve": {"id": "CVE-2026-23318", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:28.390", "lastModified": "2026-04-23T21:05:42.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3. This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely. A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nALSA: usb-audio: Usar la versión correcta para la validación del encabezado UAC3\n\nLa entrada de la tabla de validadores para el descriptor de encabezado AC UAC3 está definida con la versión de protocolo incorrecta UAC_VERSION_2, mientras que debería haber sido UAC_VERSION_3. Esto resulta en que el validador nunca coincida para dispositivos UAC3 reales (protocolo == UAC_VERSION_3), haciendo que sus descriptores de encabezado omitan la validación por completo. Un dispositivo USB malicioso que presente un encabezado UAC3 truncado podría explotar esto para causar lecturas fuera de límites cuando el controlador acceda posteriormente a campos de descriptor no validados.\n\nEl error fue introducido en el mismo commit que el error tipográfico del subtipo de unidad de característica UAC3 recientemente corregido, y parece provenir del mismo error de copiar y pegar cuando la sección UAC3 fue creada a partir de la sección UAC2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.84", "versionEndExcluding": "4.20", "matchCriteriaId": "B7EACEB9-7173-47F4-83A4-AE06CE74D78B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.11", "versionEndExcluding": "5.4", "matchCriteriaId": "2C477253-CAE4-47C3-A62D-F5EC4455A1CD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "5CE4B3A5-1831-420D-B001-512B8103441C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.4:-:*:*:*:*:*:*", "matchCriteriaId": "4D70AB13-37BE-4BD3-A652-10191F1642E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true ... (truncated)