CVE-2026-46018 (GCVE-0-2026-46018)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:56 – Updated: 2026-05-27 12:56
VLAI
Title
ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
Summary
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while probe still holds register_mutex. Stop the whole parse once the cap is reached and return the number of rates collected so far.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4fa0e81b83503900be277e6273a79651b375e288 , < ab5ba9fd138758ddc50222264ff246b31e397abf (git)
Affected: 4fa0e81b83503900be277e6273a79651b375e288 , < ba036305323814ec1f8655313b2fa6a0f7048716 (git)
Affected: 4fa0e81b83503900be277e6273a79651b375e288 , < 4d7893a137eadb6163ea4298bf67d74b811d76ef (git)
Affected: 4fa0e81b83503900be277e6273a79651b375e288 , < a0b78639ef09b2e77974a3de3b1c07f6de3c5e56 (git)
Affected: 4fa0e81b83503900be277e6273a79651b375e288 , < 3c318f97dcc50b2e0556a1813bd6958678e881fd (git)
Affected: 44f059fb742aac78cffdab5e0d8fe0c9910c1ded (git)
Affected: c25a53781f61c78bf2a2fa308bbd35b42ba346f6 (git)
Affected: 3.0.81 , < 3.1 (semver)
Affected: 3.2.47 , < 3.3 (semver)
Create a notification for this product.
Linux Linux Affected: 3.3
Unaffected: 0 , < 3.3 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.86 , ≤ 6.12.* (semver)
Unaffected: 6.18.27 , ≤ 6.18.* (semver)
Unaffected: 7.0.4 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/format.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ab5ba9fd138758ddc50222264ff246b31e397abf",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "ba036305323814ec1f8655313b2fa6a0f7048716",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "4d7893a137eadb6163ea4298bf67d74b811d76ef",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "a0b78639ef09b2e77974a3de3b1c07f6de3c5e56",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "lessThan": "3c318f97dcc50b2e0556a1813bd6958678e881fd",
              "status": "affected",
              "version": "4fa0e81b83503900be277e6273a79651b375e288",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "44f059fb742aac78cffdab5e0d8fe0c9910c1ded",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c25a53781f61c78bf2a2fa308bbd35b42ba346f6",
              "versionType": "git"
            },
            {
              "lessThan": "3.1",
              "status": "affected",
              "version": "3.0.81",
              "versionType": "semver"
            },
            {
              "lessThan": "3.3",
              "status": "affected",
              "version": "3.2.47",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/format.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "lessThan": "3.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.86",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.0.81",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.47",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES\n\nparse_uac2_sample_rate_range() caps the number of enumerated\nrates at MAX_NR_RATES, but it only breaks out of the current\nrate loop. A malformed UAC2 RANGE response with additional\ntriplets continues parsing the remaining triplets and repeatedly\nprints \"invalid uac2 rates\" while probe still holds\nregister_mutex.\n\nStop the whole parse once the cap is reached and return the\nnumber of rates collected so far."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:56:19.588Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ab5ba9fd138758ddc50222264ff246b31e397abf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba036305323814ec1f8655313b2fa6a0f7048716"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d7893a137eadb6163ea4298bf67d74b811d76ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0b78639ef09b2e77974a3de3b1c07f6de3c5e56"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fd"
        }
      ],
      "title": "ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46018",
    "datePublished": "2026-05-27T12:56:19.588Z",
    "dateReserved": "2026-05-13T15:03:33.092Z",
    "dateUpdated": "2026-05-27T12:56:19.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46018",
      "date": "2026-05-29",
      "epss": "0.00021",
      "percentile": "0.06154"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46018\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:20.240\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES\\n\\nparse_uac2_sample_rate_range() caps the number of enumerated\\nrates at MAX_NR_RATES, but it only breaks out of the current\\nrate loop. A malformed UAC2 RANGE response with additional\\ntriplets continues parsing the remaining triplets and repeatedly\\nprints \\\"invalid uac2 rates\\\" while probe still holds\\nregister_mutex.\\n\\nStop the whole parse once the cap is reached and return the\\nnumber of rates collected so far.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4d7893a137eadb6163ea4298bf67d74b811d76ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a0b78639ef09b2e77974a3de3b1c07f6de3c5e56\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ab5ba9fd138758ddc50222264ff246b31e397abf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ba036305323814ec1f8655313b2fa6a0f7048716\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.