CVE-2026-31775
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ctxfi: Don't enumerate SPDIF1 at DAIO initialization
The recent refactoring of xfi driver changed the assignment of atc->daios[] at atc_get_resources(); now it loops over all enum DAIOTYP entries while it looped formerly only a part of them. The problem is that the last entry, SPDIF1, is a special type that is used only for hw20k1 CTSB073X model (as a replacement of SPDIFIO), and there is no corresponding definition for hw20k2. Due to the lack of the info, it caused a kernel crash on hw20k2, which was already worked around by the commit b045ab3dff97 ("ALSA: ctxfi: Fix missing SPDIFI1 index handling").
This patch addresses the root cause of the regression above properly, simply by skipping the incorrect SPDIF1 type in the parser loop.
For making the change clearer, the code is slightly arranged, too.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A kernel crash in the ALSA ctxfi driver occurs when SPDIF1 is incorrectly enumerated during DAIO initialization on hw20k2 hardware.
Vulnerability
A regression in the Linux kernel's ALSA ctxfi driver causes a kernel crash when the driver enumerates the SPDIF1 DAIO type during initialization on hw20k2 hardware. The root cause is a refactoring change that made the atc_get_resources() function loop over all DAIOTYP entries, including the SPDIF1 type, which is only valid for hw20k1 CTSB073X models and lacks a corresponding definition for hw20k2 [1].
Exploitation
Exploitation
An attacker would need to have local access to a system with a Sound Blaster X-Fi (ctxfi) sound card based on the hw20k2 chipset. The crash occurs automatically during driver initialization when the kernel module is loaded or when the system boots, without requiring any special user interaction beyond having the affected hardware present.
Impact
Successful exploitation results in a denial of service (DoS) through a kernel crash (NULL pointer dereference or similar) during driver initialization, rendering the sound card unusable and potentially crashing the system. The CVSS v3 score is 5.5 (Medium) with low attack complexity and low privileges required, but no confidentiality or integrity impact [1].
Mitigation
The fix is included in Linux kernel stable commit 75dc1980cf48826287e43dc7a49e310c6691f97e, which skips the SPDIF1 type in the parser loop and arranges the code for clarity [1]. Users should update to a kernel version containing this commit. No workaround is available other than avoiding the affected hardware or blacklisting the driver.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.19,<6.19.12
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.