CVE-2026-31602
Published: 24 April 2026
Summary
CVE-2026-31602 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of Linux kernel patches reverting CT_PTP_NUM to 1 directly eliminates the out-of-bounds access and page fault in ct_vm_map() of the snd_ctxfi driver.
Prohibiting unnecessary kernel modules like snd_ctxfi on systems without Creative CT20K2 hardware prevents loading of the vulnerable driver and potential exploitation via snd_pcm_ioctl.
Vulnerability scanning identifies unpatched Linux kernels affected by CVE-2026-31602, enabling proactive remediation before local exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv trigger of kernel page fault/oops via ALSA ioctl allows system exploitation for DoS (T1499.004) and potential privilege escalation to achieve high C/I/A impact (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Limit PTP to a single page Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the additional pages are not used by the…
more
card correctly. The CT20K2 hardware already has multiple VMEM_PTPAL registers, but using them separately would require refactoring the entire virtual memory allocation logic. ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When aggregate memory allocations exceed this limit, ct_vm_map() tries to access beyond the allocated space and causes a page fault: BUG: unable to handle page fault for address: ffffd4ae8a10a000 Oops: Oops: 0002 [#1] SMP PTI RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] Call Trace: atc_pcm_playback_prepare+0x225/0x3b0 ct_pcm_playback_prepare+0x38/0x60 snd_pcm_do_prepare+0x2f/0x50 snd_pcm_action_single+0x36/0x90 snd_pcm_action_nonatomic+0xbf/0xd0 snd_pcm_ioctl+0x28/0x40 __x64_sys_ioctl+0x97/0xe0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count remain unchanged.
Deeper analysisAI
CVE-2026-31602 is a vulnerability in the Linux kernel's ALSA ctxfi driver (snd_ctxfi module), affecting systems with Creative CT20K2 hardware support. A prior commit (391e69143d0a) increased CT_PTP_NUM from 1 to 4 to accommodate up to 256 playback streams, but the driver incorrectly relies solely on vm->ptp[0].area for PTEs in ct_vm_map(). On AMD64 systems, this single PTP covers 512 PTEs (2MB), and exceeding this limit during aggregate memory allocations triggers access beyond the allocated space, resulting in a page fault and kernel oops.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By invoking snd_pcm_ioctl during playback preparation (e.g., via atc_pcm_playback_prepare and ct_pcm_playback_prepare), the attacker triggers ct_vm_map() at offset 0x17c, leading to a kernel crash as shown in the stack trace: BUG unable to handle page fault, RIP in ct_vm_map, escalating to SMP PTI oops. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates potential for high impacts on confidentiality, integrity, and availability.
Mitigation patches are available in Linux kernel stable branches via commits such as 365c36e1a126c6aa1aecedd3a351bcabc66f0c29, 3fd0685d7fef68c2d8a04876bcf9eaa0724ad6a5, 452894005b4abe141b11fe01e7bfe152e6d3860f, ad9011a795407093dcf507f6e5da1828987b4b47, and b7f5ecd13cce8c2f8fa5a84c9aab65997142577e. These revert CT_PTP_NUM to 1 while preserving support for 256 SRC_RESOURCE_NUM and playback_count, ensuring PTP is limited to a single page and preventing out-of-bounds access.
Details
- CWE(s)