CVE-2026-46049
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ctxfi: Add fallback to default RSR for S/PDIF
spdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR for the MSR calculation loop. However, pll_rate is only updated in atc_pll_init() and not in hw_pll_init(), so it remains 0 after the card init.
When spdif_passthru_playback_setup() skips atc_pll_init() for 32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin indefinitely.
Add fallback to use atc->rsr when atc->pll_rate is 0. This reflects the hardware state, since hw_card_init() already configures the PLL to the default RSR.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, the ALSA ctxfi driver can hang during S/PDIF passthrough playback due to uninitialized pll_rate.
Vulnerability
The vulnerability exists in the Linux kernel's ALSA ctxfi driver, specifically in spdif_passthru_playback_get_resources(). The function uses atc->pll_rate as the RSR (Rate Sample Rate) for the MSR (Multiplier Sample Rate) calculation loop. However, pll_rate is only updated in atc_pll_init() and not in hw_pll_init(), so it remains 0 after card initialization. When spdif_passthru_playback_setup() skips atc_pll_init() for 32000 Hz, the calculation (rsr * desc.msr) always becomes 0, causing an infinite loop. The issue affects versions of the Linux kernel that include this code path, prior to the fix introduced in commit 09496158f6eb [1].
Exploitation
An attacker would need local access to the system and the ability to trigger S/PDIF passthrough playback with a 32000 Hz sample rate. This could be achieved by playing audio through an affected sound card that uses the ctxfi driver (e.g., Creative Sound Blaster X-Fi). The attacker does not require elevated privileges beyond user-level access to audio devices. The sequence of steps involves initiating S/PDIF passthrough playback at 32000 Hz, which causes the driver to enter an infinite loop, resulting in a hang or denial of service.
Impact
Successful exploitation leads to a denial of service (DoS) as the system hangs due to an infinite loop in the kernel driver. No privilege escalation or data disclosure is possible. The impact is limited to system availability, affecting audio functionality and potentially the entire system depending on the lock context.
Mitigation
The fix is included in Linux kernel commit 09496158f6eb [1]. Users should update to a kernel version that includes this commit. As a workaround, if patching is not immediately possible, the S/PDIF passthrough functionality at 32000 Hz should be avoided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=6.14
Patches
107d61662197ecALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index 516c0a12ed9fbe..02fe093309391c 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -794,7 +794,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
25ded535ee26ALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index fbdb8a3d5b8e55..939539af68f636 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -791,7 +791,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
30f9494c6f2bALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index 2a3e9d8ba7dbe7..74eecc9ebd846d 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -788,7 +788,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
09496158f6ebALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index 14779b383d9ea3..d65c7dd7380698 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -788,7 +788,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
95b1ee8442caALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index da2667cb2489ed..206b4baa6d9291 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -794,7 +794,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
09496158f6ebALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index 14779b383d9ea3..d65c7dd7380698 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -788,7 +788,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
25ded535ee26ALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index fbdb8a3d5b8e55..939539af68f636 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -791,7 +791,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
30f9494c6f2bALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index 2a3e9d8ba7dbe7..74eecc9ebd846d 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -788,7 +788,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
95b1ee8442caALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index da2667cb2489ed..206b4baa6d9291 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -794,7 +794,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
7d61662197ecALSA: ctxfi: Add fallback to default RSR for S/PDIF
1 file changed · +2 −2
sound/pci/ctxfi/ctatc.c+2 −2 modifieddiff --git a/sound/pci/ctxfi/ctatc.c b/sound/pci/ctxfi/ctatc.c index 516c0a12ed9fbe..02fe093309391c 100644 --- a/sound/pci/ctxfi/ctatc.c +++ b/sound/pci/ctxfi/ctatc.c @@ -794,7 +794,8 @@ static int spdif_passthru_playback_get_resources(struct ct_atc *atc, struct src *src; int err; int n_amixer = apcm->substream->runtime->channels, i; - unsigned int pitch, rsr = atc->pll_rate; + unsigned int pitch; + unsigned int rsr = atc->pll_rate ? atc->pll_rate : atc->rsr; /* first release old resources */ atc_pcm_release_resources(atc, apcm); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Uninitialized field used in rate calculation: `atc->pll_rate` remains 0 after card init because `hw_pll_init()` does not update it, causing the MSR calculation loop to multiply by zero and spin indefinitely."
Attack vector
An attacker with local access to a system using a Sound Blaster X-Fi (ctxfi) sound card can trigger an S/PDIF passthrough playback at 32000 Hz. When `spdif_passthru_playback_setup()` skips `atc_pll_init()` for this sample rate, the function `spdif_passthru_playback_get_resources()` [patch_id=2660130] reads `atc->pll_rate` which is still 0 because only `hw_pll_init()` ran during card init. The expression `(rsr * desc.msr)` always evaluates to 0, causing the loop to never terminate, resulting in a soft lockup or hang of the kernel audio subsystem.
Affected code
The vulnerable function is `spdif_passthru_playback_get_resources()` in `sound/pci/ctxfi/ctatc.c` [patch_id=2660130]. The bug is on the line that initializes `rsr` from `atc->pll_rate` without checking whether `pll_rate` has been set.
What the fix does
The patch changes the initialization of `rsr` in `spdif_passthru_playback_get_resources()` from unconditionally using `atc->pll_rate` to a ternary that falls back to `atc->rsr` when `atc->pll_rate` is 0 [patch_id=2660130]. This is correct because `hw_card_init()` already configures the PLL to the default RSR and stores that value in `atc->rsr`, so using `atc->rsr` as the fallback accurately reflects the hardware state. The fix prevents the infinite loop by ensuring `rsr` is never zero.
Preconditions
- configSystem must have a Sound Blaster X-Fi (ctxfi) sound card
- inputAttacker must be able to initiate S/PDIF passthrough playback at 32000 Hz sample rate
- inputThe card must have been initialized via hw_pll_init() without atc_pll_init() having been called for the 32000 Hz rate
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/09496158f6ebba8830593f8972035c02f97124c1nvd
- git.kernel.org/stable/c/25ded535ee261161bcf19dafd525c542e606559dnvd
- git.kernel.org/stable/c/30f9494c6f2b53a78822cfb653ffbb1d092d44c8nvd
- git.kernel.org/stable/c/7d61662197ecdc458e33e475b6ada7f6da61d364nvd
- git.kernel.org/stable/c/95b1ee8442cabbde83b2848e7c6100df90f3a00dnvd
News mentions
0No linked articles in our index yet.