CVE-2026-31778
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: caiaq: fix stack out-of-bounds read in init_card
The loop creates a whitespace-stripped copy of the card shortname where len < sizeof(card->id) is used for the bounds check. Since sizeof(card->id) is 16 and the local id buffer is also 16 bytes, writing 16 non-space characters fills the entire buffer, overwriting the terminating nullbyte.
When this non-null-terminated string is later passed to snd_card_set_id() -> copy_valid_id_string(), the function scans forward with while (*nid && ...) and reads past the end of the stack buffer, reading the contents of the stack.
A USB device with a product name containing many non-ASCII, non-space characters (e.g. multibyte UTF-8) will reliably trigger this as follows:
BUG: KASAN: stack-out-of-bounds in copy_valid_id_string sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c sound/core/init.c:718
The off-by-one has been present since commit bafeee5b1f8d ("ALSA: snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1), which first introduced this whitespace-stripping loop. The original code never accounted for the null terminator when bounding the copy.
Fix this by changing the loop bound to sizeof(card->id) - 1, ensuring at least one byte remains as the null terminator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack out-of-bounds read in ALSA caiaq driver due to off-by-one in whitespace stripping, allowing information disclosure via crafted USB device.
In the Linux kernel's ALSA caiaq driver, the init_card function contains a stack out-of-bounds read vulnerability. The bug is an off-by-one error in a loop that strips whitespace from the card shortname. The loop uses len < sizeof(card->id) as the bound, but since the local id buffer is also 16 bytes, writing 16 non-space characters overwrites the null terminator, leaving the string non-null-terminated.
When this non-null-terminated string is later passed to snd_card_set_id() -> copy_valid_id_string(), the function scans forward with while (*nid && ...) and reads past the end of the stack buffer, causing a stack out-of-bounds read. An attacker can trigger this by connecting a USB device with a product name containing many non-ASCII, non-space characters (e.g., multibyte UTF-8). No authentication is required; physical or local USB access is sufficient.
The out-of-bounds read can leak stack memory contents, potentially exposing sensitive information. The vulnerability has been present since commit bafeee5b1f8d (v2.6.31-rc1, June 2009). The CVSS score is 7.1 (High), indicating significant confidentiality impact.
The fix changes the loop bound to sizeof(card->id) - 1, ensuring space for the null terminator. Patches have been applied to stable kernel branches [1]. Users should update their kernels to include the fix.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9(expand)+ 7 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.31,<5.10.253
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.