In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.
2025-07-09T11:15:27.077
2025-12-18T17:11:34.247
Analyzed
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSSv3.1: 7.1 (HIGH)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | linux | linux_kernel | < 5.4.296 | Yes |
| Operating System | linux | linux_kernel | < 5.10.240 | Yes |
| Operating System | linux | linux_kernel | < 5.15.187 | Yes |
| Operating System | linux | linux_kernel | < 6.1.143 | Yes |
| Operating System | linux | linux_kernel | < 6.6.96 | Yes |
| Operating System | linux | linux_kernel | < 6.12.36 | Yes |
| Operating System | linux | linux_kernel | < 6.15.5 | Yes |
| Operating System | linux | linux_kernel | 6.16 | Yes |
| Operating System | linux | linux_kernel | 6.16 | Yes |
| Operating System | linux | linux_kernel | 6.16 | Yes |
| Operating System | debian | debian_linux | 11.0 | Yes |