Cyber Resilience

CVE-2026-23078

High

Published: 04 February 2026

Published
04 February 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23078 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23078 is a buffer overflow vulnerability in the Linux kernel's ALSA scarlett2 USB audio driver, specifically within the scarlett2_usb_get_config() function used for configuration retrieval. The issue stems from a logic error in the endianness conversion code: it incorrectly checks the total buffer size (size == 2) before looping count times and treating each element as a u16 (2 bytes), leading to access of count * 2 bytes when only size bytes are allocated. This occurs when count > 1, enabling an out-of-bounds write (CWE-787). The vulnerability affects Linux kernels with the scarlett2 driver enabled and has a CVSS v3.1 base score of 7.8.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service, potentially leading to arbitrary code execution or system crashes within the kernel context.

Mitigation involves applying the upstream kernel patches provided in the referenced stable commits, such as 27049f50be9f5ae3a62d272128ce0b381cb26a24, 31a3eba5c265a763260976674a22851e83128f6d, 51049f6e3f05d70660e2458ad3bb302a3721b751, 6f5c69f72e50d51be3a8c028ae7eda42c82902cb, and 91a756d22f0482eac5bedb113c8922f90b254449. These fixes correct the check to use the element size (config_item->size) instead of the total buffer size, ensuring proper endianness conversion aligned with the element type. Security practitioners should update affected Linux distributions promptly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The…

more

code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times treating each element as u16 (2 bytes). This causes the loop to access `count * 2` bytes when the buffer only has `size` bytes allocated. Fix by checking the element size (config_item->size) instead of the total buffer size. This ensures the endianness conversion matches the actual element type.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow in kernel driver directly enables local exploitation for privilege escalation to kernel context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 5.14 — 5.15.199 · 5.16 — 6.1.162 · 6.2 — 6.6.122

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, reporting, and patching the buffer overflow flaw in scarlett2_usb_get_config() via upstream kernel fixes.

prevent

Enforces validation of configuration buffer parameters like count and element size to prevent out-of-bounds writes during endianness conversion.

prevent

Implements kernel memory protections such as non-executable memory and address randomization to limit exploitation impact of the buffer overflow.

References