Cyber Resilience

CVE-2026-23208

High

Published: 14 February 2026

Published
14 February 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23208 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23208 is an out-of-bounds write vulnerability in the Linux kernel's ALSA USB audio driver, specifically within the sound/usb/pcm.c component. The issue arises when a user constructs USB audio parameters, such as maxpacksize of 40 for a sample rate of 22050 Hz and packets per second (pps) of 1000, with packsize[0] set to 22 and packsize[1] to 23. This results in a USB Request Block (URB) buffer size of 240 bytes (maxpacksize * packets), but the calculated number of frames during a write to the ALSA PCM playback stream becomes 264 (packsize[0] * packets), exceeding the buffer and triggering a slab-out-of-bounds write, as reported by syzbot.

A local attacker with low privileges can exploit this vulnerability by performing a write operation to the ALSA PCM playback stream with crafted parameters. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects low attack complexity with no user interaction required, allowing the attacker to achieve high confidentiality, integrity, and availability impacts, such as arbitrary kernel memory corruption or code execution.

Mitigation involves applying the upstream kernel patches referenced in the stable git commits, including 282aba56713bbc58155716b55ca7222b2d9cf3c8, 480a1490c595a242f27493a4544b3efb21b29f6a, 62932d9ed639a9fa71b4ac1a56766a4b43abb7e4, ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41, and c4dc012b027c9eb101583011089dea14d744e314. These patches add a check for the number of frames in a single data URB during frame calculation to prevent the overflow. Security practitioners should update affected Linux kernels to versions incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The…

more

buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, which exceeds the allocated URB buffer size, triggering the out-of-bounds (OOB) issue reported by syzbot [1]. Added a check for the number of single data URB frames when calculating the number of frames to prevent [1]. [1] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 Write of size 264 at addr ffff88804337e800 by task syz.0.17/5506 Call Trace: copy_to_urb+0x261/0x460 sound/usb/pcm.c:1487 prepare_playback_urb+0x953/0x13d0 sound/usb/pcm.c:1611 prepare_outbound_urb+0x377/0xc50 sound/usb/endpoint.c:333

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local out-of-bounds write in kernel ALSA driver enables arbitrary kernel memory corruption/code execution from low-privileged user context, directly matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.4.229, 4.9.229, 6.19 · 4.14.186 — 4.14.188 · 4.19.130 — 4.19.132 · 5.4.49 — 5.4.51

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of user-supplied USB audio parameters like packsize and maxpacksize to prevent frame count calculations exceeding allocated URB buffer sizes in the ALSA PCM playback stream.

prevent

Requires timely remediation of the out-of-bounds write flaw in the Linux kernel's ALSA USB audio driver through application of upstream patches adding frame count checks.

prevent

Implements kernel memory protections such as bounds checking and sanitizers to mitigate slab-out-of-bounds writes in USB audio URB buffers.

References