CVE-2025-40269

Vulnerability

Overview

The Linux kernel's ALSA USB-audio driver contains a buffer overflow vulnerability in the PCM stream data transfer path. The driver dynamically determines USB URB packet sizes based on the audio rate and packets per second (PPS), but fails to verify that the calculated size does not exceed the USB endpoint's wMaxPacketSize limit. When a device reports a wMaxPacketSize smaller than the computed packet size—often due to a malformed USB descriptor—the driver writes beyond the allocated buffer, causing a memory corruption [1].

Exploitation

Prerequisites

An attacker would need to connect a malicious USB audio device to the target system, or the system must be configured to accept such devices. No special privileges are required beyond physical or logical access to a USB port. The vulnerability is triggered during PCM stream setup, before any audio data is transferred, meaning the attack surface is limited to the enumeration and configuration phase of a USB audio device.

Impact

Successful exploitation could lead to a buffer overflow in kernel memory, potentially resulting in a denial of service (system crash) or, in more severe scenarios, arbitrary code execution in the kernel context. The issue was reported by syzbot, indicating it is reachable from user space via USB device interaction.

Mitigation

The fix introduces a sanity check at parameter setup time: if the calculated packet size exceeds the endpoint's maxpacksize (specifically ep->packsize[1]), the driver returns -EINVAL and aborts the stream configuration. This prevents the overflow from occurring. The patch has been applied to the stable kernel tree [1]. Users should update to a kernel version containing this commit.