CVE-2026-23318

Vulnerability

Overview

A copy-paste error in the Linux kernel's ALSA USB-audio driver causes the UAC3 AC header descriptor validator to use the wrong protocol version (UAC_VERSION_2 instead of UAC_VERSION_3). This means the validator never matches actual UAC3 devices (which use UAC_VERSION_3), so their header descriptors bypass validation entirely. The bug was introduced in the same commit as a recently fixed UAC3 feature unit sub-type typo, suggesting it originated when the UAC3 section was created from the UAC2 section [1][2][3][4].

Exploitation

An attacker with physical access or the ability to connect a malicious USB device can exploit this by presenting a truncated UAC3 header. Because the validator never fires for UAC3 devices, the driver will accept the malformed descriptor without checking its size or fields. When the driver later accesses fields in that unvalidated descriptor, it can read beyond the allocated buffer, leading to out-of-bounds reads [1][2][3][4].

Impact

Successful exploitation allows an attacker to cause the kernel to read out-of-bounds memory, potentially leaking sensitive information or leading to a system crash (denial of service). The vulnerability is rated High with a CVSS v3 score of 7.1, reflecting the need for physical access or a malicious USB device but the potential for significant information disclosure or system instability [1][2][3][4].

Mitigation

The fix corrects the protocol version in the validator table entry from UAC_VERSION_2 to UAC_VERSION_3. The patch has been applied to the stable kernel tree and is available in the referenced commits. Users should update their kernels to include this fix. No workaround is available other than applying the patch or avoiding untrusted USB audio devices [1][2][3][4].