CVE-2026-31619
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: fireworks: bound device-supplied status before string array lookup
The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status value outside that range goes off into the weeds when looking at the %s value.
Even worse, the status could return EFR_STATUS_INCOMPLETE which is 0x80000000, and is obviously not in that array of potential strings.
Fix this up by properly bounding the index against the array size and printing "unknown" if it's not recognized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's ALSA fireworks driver, a missing bounds check on a device-supplied status value leads to out-of-bounds array access, fixed by proper index validation.
Vulnerability
The ALSA fireworks driver in the Linux kernel handles EFW responses from FireWire devices. The status field in these responses is a 32-bit value supplied by the device, which is used as an index into the efr_status_names[] array. This array has only 17 entries, but the status value can range up to 0xFFFFFFFF, including the special value EFR_STATUS_INCOMPLETE (0x80000000). Without a bounds check, accessing the array with an out-of-range index results in an out-of-bounds read.
Exploitation
An attacker able to control or spoof a FireWire device can send a crafted EFW response with a malicious status value. This requires physical access to the FireWire bus or a compromised device on that bus. No authentication is needed beyond the ability to send EFW responses. The vulnerability can be triggered without special privileges beyond local access to the FireWire subsystem.
Impact
A successful out-of-bounds read could lead to information disclosure (reading kernel memory beyond the array) or a kernel crash (denial of service). The CVSS score of 5.5 (Medium) reflects the need for local access and the potential for modest information leakage.
Mitigation
The fix, applied in kernel stable commits [1][2][3][4], bounds the status index to the array size and prints "unknown" for unrecognized values. Users should update to a kernel version containing these commits to eliminate the vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/07704bbf36f57e4379e4cadf96410dab14621e3bnvdPatch
- git.kernel.org/stable/c/67cfd14074cdafab5de3f7cfc0952c1a9b653e5dnvdPatch
- git.kernel.org/stable/c/682d8accf0d83a871e8c327b95c81f53902c922bnvdPatch
- git.kernel.org/stable/c/cc624b3d2be13297100539b64ad950695188e046nvdPatch
- git.kernel.org/stable/c/e103f98f6615ed2934e9cf340654f0cad9eb8a8anvdPatch
- git.kernel.org/stable/c/f856f4b6efd51be7950e4b84c06cd961961ca41cnvdPatch
News mentions
0No linked articles in our index yet.