CVE-2025-68346

Vulnerability

The detect_stream_formats() function in the ALSA dice driver reads the stream_count value directly from a FireWire device without validating it against the MAX_STREAMS limit. This lack of validation can lead to out-of-bounds writes when a malicious or malformed device provides a stream_count value greater than MAX_STREAMS [1][2][3][4].

Exploitation

An attacker with physical access to the FireWire bus or the ability to connect a malicious FireWire device can supply a crafted stream_count value. No authentication is required beyond device enumeration. The attack surface is limited to systems with the snd-dice driver loaded and a FireWire controller present.

Impact

Successful exploitation results in a buffer overflow, potentially causing memory corruption, system crash, or arbitrary code execution in kernel context. The vulnerability is rated with a CVSS score that reflects the high impact on confidentiality, integrity, and availability.

Mitigation

The fix applies the same validation to both TX and RX stream counts in detect_stream_formats(), ensuring that values before use. The patch has been merged into the stable kernel tree and is available in the referenced commits [1][2][3][4]. Users should update to a kernel version containing the fix.