CVE-2026-31776

Vulnerability

Description

In the Linux kernel, the ALSA ctxfi sound driver for Creative Sound Blaster X-Fi devices fails to properly handle the SPDIF1 DAIO type in the daio_device_index() function for the hw20k2 chip variant. Instead of returning the correct index, it returns -EINVAL, which causes the caller to access an array out of bounds. This bug was introduced when the function was implemented for hw20k1 but not for hw20k2.

Exploitation

The vulnerability can be triggered by any local user who can interact with the sound subsystem, such as through the ALSA API. No special privileges are required beyond the ability to open and manipulate sound devices. An attacker could craft a sequence of ioctl calls that result in an out-of-bounds read or write past the allocated dao array. The exact attack vector depends on the driver's usage of the returned index, but the out-of-bounds access can potentially overwrite kernel memory.

Impact

Successful exploitation could lead to arbitrary code execution in the kernel context, privilege escalation, or system crash (denial of service). Given the high CVSS v3 score of 7.8, the vulnerability is considered serious, especially on systems with affected Sound Blaster hardware and the ctxfi driver loaded.

Mitigation

The fix is included in the Linux kernel stable updates. Users should apply the latest updates from their distribution. The commits [1] and [2] address the issue by adding the missing SPDIF1 index handling, following the same pattern as hw20k1. No workarounds are known, but unloading the ctxfi module (modprobe -r ctxfi) may mitigate the risk if the device is not needed.