CVE-2026-23208
Published: 14 February 2026
Summary
CVE-2026-23208 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23208 is an out-of-bounds write vulnerability in the Linux kernel's ALSA USB audio driver, specifically within the sound/usb/pcm.c component. The issue arises when a user constructs USB audio parameters, such as maxpacksize of 40 for a sample rate of 22050 Hz and packets per second (pps) of 1000, with packsize[0] set to 22 and packsize[1] to 23. This results in a USB Request Block (URB) buffer size of 240 bytes (maxpacksize * packets), but the calculated number of frames during a write to the ALSA PCM playback stream becomes 264 (packsize[0] * packets), exceeding the buffer and triggering a slab-out-of-bounds write, as reported by syzbot.
A local attacker with low privileges can exploit this vulnerability by performing a write operation to the ALSA PCM playback stream with crafted parameters. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects low attack complexity with no user interaction required, allowing the attacker to achieve high confidentiality, integrity, and availability impacts, such as arbitrary kernel memory corruption or code execution.
Mitigation involves applying the upstream kernel patches referenced in the stable git commits, including 282aba56713bbc58155716b55ca7222b2d9cf3c8, 480a1490c595a242f27493a4544b3efb21b29f6a, 62932d9ed639a9fa71b4ac1a56766a4b43abb7e4, ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41, and c4dc012b027c9eb101583011089dea14d744e314. These patches add a check for the number of frames in a single data URB during frame calculation to prevent the overflow. Security practitioners should update affected Linux kernels to versions incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6106
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The…
more
buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local out-of-bounds write in kernel ALSA driver enables arbitrary kernel memory corruption/code execution from low-privileged user context, directly matching Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of user-supplied USB audio parameters like packsize and maxpacksize to prevent frame count calculations exceeding allocated URB buffer sizes in the ALSA PCM playback stream.
Requires timely remediation of the out-of-bounds write flaw in the Linux kernel's ALSA USB audio driver through application of upstream patches adding frame count checks.
Implements kernel memory protections such as bounds checking and sanitizers to mitigate slab-out-of-bounds writes in USB audio URB buffers.