Medium severity4.6NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026

CVE-2026-31620

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0

A malicious USB device with the TASCAM US-144MKII device id can have a configuration containing bInterfaceNumber=1 but no interface 0. USB configuration descriptors are not required to assign interface numbers sequentially, so usb_ifnum_to_if(dev, 0) returns will NULL, which will then be dereferenced directly.

Fix this up by checking the return value properly.

Affected products

Linux/Kernel
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Range: >=6.18,<6.18.24

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

No linked articles in our index yet.

cvss	0.299
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000