Cyber Resilience

CVE-2026-23318

High

Published: 25 March 2026

Published
25 March 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23318 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Hardware Additions (T1200); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-41 (Port and I/O Device Access) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23318 is a vulnerability in the Linux kernel's ALSA USB-audio driver, specifically affecting validation of UAC3 (USB Audio Class 3) AC header descriptors. The validators table entry for UAC3 uses the incorrect protocol version UAC_VERSION_2 instead of UAC_VERSION_3, causing the validator to fail matching for actual UAC3 devices. This bypasses header descriptor validation entirely, allowing a malicious USB device presenting a truncated UAC3 header to trigger out-of-bounds reads when the driver accesses unvalidated descriptor fields. The issue stems from a copy-paste error during UAC3 section creation from UAC2 code and is classified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges can exploit this vulnerability by connecting a malicious USB audio device that presents a malformed UAC3 header descriptor. Physical access to the target system is required to insert the device, after which the driver processes the descriptor without proper validation. Successful exploitation leads to out-of-bounds memory reads, potentially disclosing sensitive kernel memory (high confidentiality impact) or causing denial of service through system crashes (high availability impact), though no integrity impact is possible.

Mitigation requires updating the Linux kernel to versions incorporating the relevant stable patches, available via kernel.org git commits such as 0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f, 1e5753ff4c2e86aa88516f97a224c90a3d0b133e, 499ffd15b00dc91ac95c28f76959dfb5cdcc84d5, 54f9d645a5453d0bfece0c465d34aaf072ea99fa, and 82a7d0a1b88798de1a609130080ce0c65dd869e9. These patches correct the protocol version in the UAC3 validators table entry to UAC_VERSION_3, restoring proper header validation.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it…

more

should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 header could exploit this to cause out-of-bounds reads when the driver later accesses unvalidated descriptor fields. The bug was introduced in the same commit as the recently fixed UAC3 feature unit sub-type typo, and appears to be from the same copy-paste error when the UAC3 section was created from the UAC2 section.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1200 Hardware Additions Initial Access
Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access.
Why these techniques?

Vulnerability is triggered by connecting a malicious USB device, directly enabling hardware-based initial access and kernel memory access/DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-31513Same product: Linux Linux Kernel
CVE-2025-21743Same product: Linux Linux Kernel
CVE-2026-43006Same product: Linux Linux Kernel
CVE-2026-31614Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2025-21794Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2026-43048Same product: Linux Linux Kernel
CVE-2025-21789Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.4, 7.0 · 4.19.84 — 4.20 · 5.3.11 — 5.4 · 5.4.1 — 5.10.253

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces proper validation of USB audio class UAC3 header descriptors to prevent bypass and subsequent out-of-bounds reads from malformed inputs.

preventrecover

Requires timely remediation of the kernel flaw via patches that correct the UAC3 protocol version check, eliminating the validation bypass.

prevent

Restricts access to USB ports and I/O devices, preventing physical connection of malicious USB audio devices that exploit the descriptor validation flaw.

References