{"id":"CVE-2026-23318","summary":"ALSA: usb-audio: Use correct version for UAC3 header validation","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Use correct version for UAC3 header validation\n\nThe entry of the validators table for UAC3 AC header descriptor is\ndefined with the wrong protocol version UAC_VERSION_2, while it should\nhave been UAC_VERSION_3.  This results in the validator never matching\nfor actual UAC3 devices (protocol == UAC_VERSION_3), causing their\nheader descriptors to bypass validation entirely.  A malicious USB\ndevice presenting a truncated UAC3 header could exploit this to cause\nout-of-bounds reads when the driver later accesses unvalidated\ndescriptor fields.\n\nThe bug was introduced in the same commit as the recently fixed UAC3\nfeature unit sub-type typo, and appears to be from the same copy-paste\nerror when the UAC3 section was created from the UAC2 section.","modified":"2026-04-02T13:12:21.263855Z","published":"2026-03-25T10:27:12.884Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23318.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23318.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23318"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"57f8770620e9b51c61089751f0b5ad3dbe376ff2"},{"fixed":"0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f"},{"fixed":"a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc"},{"fixed":"d3904ca40515272681ae61ad6f561c24f190957f"},{"fixed":"1e5753ff4c2e86aa88516f97a224c90a3d0b133e"},{"fixed":"499ffd15b00dc91ac95c28f76959dfb5cdcc84d5"},{"fixed":"54f9d645a5453d0bfece0c465d34aaf072ea99fa"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"17821e2fb16752f5d363fb5c3f8aab4df41b9bcc"},{"last_affected":"bf74a46aebb1b5ab5e5f25bafa4ae0a453ba813a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23318.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.4.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.77"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23318.json"}}],"schema_version":"1.7.5"}