CVE-2026-23318
Published: 25 March 2026
Summary
CVE-2026-23318 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Hardware Additions (T1200); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-41 (Port and I/O Device Access) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-23318 is a vulnerability in the Linux kernel's ALSA USB-audio driver, specifically affecting validation of UAC3 (USB Audio Class 3) AC header descriptors. The validators table entry for UAC3 uses the incorrect protocol version UAC_VERSION_2 instead of UAC_VERSION_3, causing the validator to fail matching for actual UAC3 devices. This bypasses header descriptor validation entirely, allowing a malicious USB device presenting a truncated UAC3 header to trigger out-of-bounds reads when the driver accesses unvalidated descriptor fields. The issue stems from a copy-paste error during UAC3 section creation from UAC2 code and is classified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability by connecting a malicious USB audio device that presents a malformed UAC3 header descriptor. Physical access to the target system is required to insert the device, after which the driver processes the descriptor without proper validation. Successful exploitation leads to out-of-bounds memory reads, potentially disclosing sensitive kernel memory (high confidentiality impact) or causing denial of service through system crashes (high availability impact), though no integrity impact is possible.
Mitigation requires updating the Linux kernel to versions incorporating the relevant stable patches, available via kernel.org git commits such as 0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f, 1e5753ff4c2e86aa88516f97a224c90a3d0b133e, 499ffd15b00dc91ac95c28f76959dfb5cdcc84d5, 54f9d645a5453d0bfece0c465d34aaf072ea99fa, and 82a7d0a1b88798de1a609130080ce0c65dd869e9. These patches correct the protocol version in the UAC3 validators table entry to UAC_VERSION_3, restoring proper header validation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15267
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it…
more
should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 header could exploit this to cause out-of-bounds reads when the driver later accesses unvalidated descriptor fields. The bug was introduced in the same commit as the recently fixed UAC3 feature unit sub-type typo, and appears to be from the same copy-paste error when the UAC3 section was created from the UAC2 section.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is triggered by connecting a malicious USB device, directly enabling hardware-based initial access and kernel memory access/DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces proper validation of USB audio class UAC3 header descriptors to prevent bypass and subsequent out-of-bounds reads from malformed inputs.
Requires timely remediation of the kernel flaw via patches that correct the UAC3 protocol version check, eliminating the validation bypass.
Restricts access to USB ports and I/O devices, preventing physical connection of malicious USB audio devices that exploit the descriptor validation flaw.