CVE-2026-46018
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while probe still holds register_mutex.
Stop the whole parse once the cap is reached and return the number of rates collected so far.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malformed UAC2 RANGE response in the Linux kernel's ALSA USB audio driver can cause excessive parsing and log spam; fixed by stopping at MAX_NR_RATES.
Vulnerability
In the Linux kernel's ALSA USB audio driver, the function parse_uac2_sample_rate_range() in sound/usb/format.c caps the number of enumerated rates at MAX_NR_RATES but only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while the probe still holds register_mutex. This affects kernel versions prior to the fix [1].
Exploitation
An attacker with physical access or the ability to emulate a malicious USB audio device can trigger this vulnerability by providing a crafted UAC2 RANGE descriptor containing extra triplets beyond the expected count. No authentication is required; the device is probed automatically during USB enumeration.
Impact
The kernel prints repeated error messages, potentially causing log flooding and a denial-of-service condition. Because the probe holds register_mutex, the excessive parsing can delay or block other USB audio device operations. No privilege escalation or data corruption occurs.
Mitigation
The fix is included in Linux kernel commit 3c318f97dcc50b2e0556a1813bd6958678e881fd [1], which stops parsing once MAX_NR_RATES is reached and returns the number of rates collected so far. Users should update to a kernel containing this commit. No workaround is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10ba0363053238ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 7041633b02947a..81a2088b398e21 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -458,7 +458,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
3c318f97dcc5ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 030b4307927a24..4830f9f93ad77e 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -470,7 +470,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
ab5ba9fd1387ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 682adbdf7ee791..aec676a889ac84 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -461,7 +461,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
4d7893a137eaALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 53b5dc5453b787..133595d79d927c 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -463,7 +463,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
a0b78639ef09ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 1207c507882add..0fa2f3f3dd2b50 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -466,7 +466,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
3c318f97dcc5ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 030b4307927a24..4830f9f93ad77e 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -470,7 +470,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
a0b78639ef09ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 1207c507882add..0fa2f3f3dd2b50 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -466,7 +466,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
4d7893a137eaALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 53b5dc5453b787..133595d79d927c 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -463,7 +463,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
ab5ba9fd1387ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 682adbdf7ee791..aec676a889ac84 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -461,7 +461,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
ba0363053238ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
1 file changed · +1 −2
sound/usb/format.c+1 −2 modifieddiff --git a/sound/usb/format.c b/sound/usb/format.c index 7041633b02947a..81a2088b398e21 100644 --- a/sound/usb/format.c +++ b/sound/usb/format.c @@ -458,7 +458,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip, nr_rates++; if (nr_rates >= MAX_NR_RATES) { usb_audio_err(chip, "invalid uac2 rates\n"); - break; + return nr_rates; } skip_rate: -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Incomplete loop exit in parse_uac2_sample_rate_range() — a `break` only escapes the inner rate loop instead of returning from the function, allowing continued parsing of malformed UAC2 RANGE triplets."
Attack vector
An attacker with physical USB access (or a compromised USB device) connects a malicious USB audio device that provides a malformed UAC2 RANGE response containing more sample-rate triplets than `MAX_NR_RATES`. During kernel probe, `parse_uac2_sample_rate_range()` iterates over these triplets; when `nr_rates` reaches `MAX_NR_RATES`, the old code only `break`s out of the inner rate loop but continues parsing outer triplets, repeatedly printing "invalid uac2 rates" error messages while holding `register_mutex`. This causes excessive log spam and holds the mutex longer than intended, potentially contributing to a denial-of-service condition on probe.
Affected code
The vulnerability is in `parse_uac2_sample_rate_range()` in `sound/usb/format.c` [patch_id=2660407]. The function parses UAC2 sample rate RANGE triplets from a USB audio device.
What the fix does
The patch changes the `break` statement inside the `if (nr_rates >= MAX_NR_RATES)` block to `return nr_rates` [patch_id=2660407]. Previously, `break` only exited the inner rate loop, allowing the outer triplet loop to continue parsing additional malformed triplets and repeatedly printing error messages. By returning immediately, the function stops all parsing as soon as the rate cap is reached, eliminating the excessive error prints and the prolonged holding of `register_mutex` during probe.
Preconditions
- physicalAttacker must have physical USB access or control over a USB device to present a malformed UAC2 RANGE descriptor
- inputThe malicious USB audio device must be plugged in and probed by the kernel
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fdnvd
- git.kernel.org/stable/c/4d7893a137eadb6163ea4298bf67d74b811d76efnvd
- git.kernel.org/stable/c/a0b78639ef09b2e77974a3de3b1c07f6de3c5e56nvd
- git.kernel.org/stable/c/ab5ba9fd138758ddc50222264ff246b31e397abfnvd
- git.kernel.org/stable/c/ba036305323814ec1f8655313b2fa6a0f7048716nvd
News mentions
0No linked articles in our index yet.