VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46146

CVE-2026-46146

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.

Add a proper size check to abort the loop for plugging the hole.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing descriptor length validation in Linux kernel's ALSA USB audio driver leads to potential infinite loop in convert_chmap_v3().

Vulnerability

In the Linux kernel's ALSA USB audio driver, the convert_chmap_v3() function iterates over a channel map descriptor using cs_desc->wLength as the increment size, but lacks validation of wLength itself. A malformed USB audio descriptor with an overly large or zero wLength can cause an infinite loop, leading to a denial of service. The issue affects kernel versions prior to the patch commit be09b47ed867 [1].

Exploitation

An attacker with physical access or the ability to plug a malicious USB device into the system can exploit this vulnerability. By providing a crafted USB audio descriptor with an invalid wLength, the kernel may loop indefinitely in convert_chmap_v3(), consuming CPU resources and potentially causing a system hang. No authentication or special privileges are required beyond the ability to connect a USB device.

Impact

A successful exploit causes a denial of service due to an infinite loop in the kernel, leading to a system hang or unresponsiveness. The attack does not allow code execution or privilege escalation; the impact is limited to availability (A) of the affected system.

Mitigation

The vulnerability is fixed in the Linux kernel by commit be09b47ed867 ("ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()") [1]. Users should update their kernel to a version containing this fix. As a workaround, disable the loading of the snd-usb-audio module or restrict USB device access if the fix cannot be applied immediately. No CVE listing in KEV has been reported.

References
  1. Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
fa5b19ce6906

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 7.0.7via kernel-cna
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index d38c39e28f38fa..7e175eabca3a62 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
e0e3dcf48189

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 6.6.140via kernel-cna
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 12a5e053ec54fc..54b5f496eeae9e 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
6e7247d8f5fe

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 7.1-rc2via kernel-cna
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index f8f56ace565235..b2c5c8198281ad 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -353,6 +353,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
4e0ee232ebe3

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 6.12.88via kernel-cna
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index db2c9bac00adca..fa6911a0dfb16b 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
be09b47ed867

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 6.18.30via kernel-cna
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 3b2526964e4b47..30523da73ec5ef 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
fa5b19ce6906

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index d38c39e28f38fa..7e175eabca3a62 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
e0e3dcf48189

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 12a5e053ec54fc..54b5f496eeae9e 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
6e7247d8f5fe

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index f8f56ace565235..b2c5c8198281ad 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -353,6 +353,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
4e0ee232ebe3

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index db2c9bac00adca..fa6911a0dfb16b 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg
be09b47ed867

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref
commit
1 file changed · +2 1
  • sound/usb/stream.c+2 1 modified
    diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 3b2526964e4b47..30523da73ec5ef 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -352,6 +352,8 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
 		if (len < sizeof(*cs_desc))
 			break;
 		cs_len = le16_to_cpu(cs_desc->wLength);
+		if (cs_len < sizeof(*cs_desc))
+			break;
 		if (len < cs_len)
 			break;
 		cs_type = cs_desc->bSegmentType;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing validation of the wLength field in UAC3 cluster segment descriptors allows a malformed descriptor to cause an infinite loop in convert_chmap_v3()."

Attack vector

An attacker with physical access or the ability to supply a malicious USB audio device can craft a UAC3 cluster descriptor with a `wLength` field smaller than the descriptor header size. When the kernel parses this descriptor in `convert_chmap_v3()`, the loop increments by the attacker-controlled `wLength` value; if `wLength` is zero or smaller than the header, the loop may never advance past the same descriptor, causing an endless loop and a denial of service (soft lockup). No authentication or special privileges are required beyond the ability to connect the malicious USB device.

Affected code

The vulnerable function is `convert_chmap_v3()` in `sound/usb/stream.c` [patch_id=2898301]. The loop iterates through UAC3 cluster segment descriptors using `cs_desc->wLength` as the increment, but lacked a validation that `wLength` is at least as large as the descriptor header size (`sizeof(*cs_desc)`).

What the fix does

The patch adds a single check after reading `cs_len = le16_to_cpu(cs_desc->wLength)`: if `cs_len < sizeof(*cs_desc)`, the loop breaks immediately [patch_id=2898301]. This ensures that a descriptor whose declared length is smaller than the mandatory header size is treated as invalid, preventing the loop from using that value as an increment and thus avoiding an infinite loop. The fix is minimal and targeted, closing the validation gap left by the earlier commit ecfd41166b72.

Preconditions

  • inputAttacker must supply a malicious USB audio device (or modify USB descriptor data) that presents a UAC3 cluster segment descriptor with wLength smaller than sizeof(struct uac3_cluster_header_descriptor).
  • configThe kernel must have CONFIG_SND_USB_AUDIO enabled and the device must be enumerated as a USB audio class 3 device.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.