CVE-2026-31602

Vulnerability

In the Linux kernel's ALSA ctxfi (Sound Blaster X-Fi) driver, a previous commit raised CT_PTP_NUM from 1 to 4 to allow 256 playback streams, but the additional PTP (Page Table Page) entries are never used by ct_vm_map(). The function always reads PTEs from vm->ptp[0].area, regardless of CT_PTP_NUM. On AMD64 systems, a single PTP covers 2 MB (512 PTEs). When aggregate memory allocations exceed this limit, ct_vm_map() attempts to access beyond the allocated region, triggering a page fault [1].

Exploitation

The vulnerability is triggered during normal audio playback preparation. When the driver calls ct_vm_map() to map memory for a new PCM substream, and the total mapped memory surpasses the 2 MB boundary, an out-of-bounds read/write occurs. An attacker would need local access to the system and the ability to initiate multiple audio playback streams—no special privileges beyond normal user access to ALSA audio devices are required. The crash manifests as a kernel NULL pointer dereference or page fault, as shown in the kernel bug report [1].

Impact

A local attacker or even an unprivileged user can cause a denial-of-service (DoS) by crashing the kernel through repeated audio playback operations that exhaust the limited PTP space. The bug can lead to system instability, data loss from unsaved work, or reboots. The CVSS v3 score of 7.8 rating reflects the high availability impact, with no confidentiality or integrity loss. No privilege escalation is known from this bug.

Mitigation

Patches have been merged into the Linux kernel stable tree, reverting CT_PTP_NUM back to 1 [1][2][3][4]. Users should apply the corresponding stable kernel updates for their distribution. The 256 playback stream capacity for playback streams (SRC_RESOURCE_NUM) remains unchanged; only the PTP allocation logic is corrected, so the reduction from 4 to 1 page table pages does not affect the number of concurrent streams, as confirmed by the commit message [1].