Bug 2492261 (CVE-2026-52964)

Summary: CVE-2026-52964 kernel: ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's ALSA USB audio component. The USB MIDI 2.0 endpoint parser, responsible for handling audio device descriptors, failed to properly validate the length of these descriptors. This vulnerability could allow a local attacker, by connecting a specially crafted malformed USB MIDI 2.0 device, to cause an out-of-bounds read. Such an issue can lead to memory corruption, potentially resulting in information disclosure or a system crash (denial of service).
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-24 18:01:48 UTC
In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans

The USB MIDI 2.0 endpoint parser has the same descriptor walking
pattern as the legacy MIDI parser. It validates bLength against
bNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the
remaining bytes in the endpoint-extra scan.

A malformed device can therefore make later baAssoGrpTrmBlkID[] reads
consume bytes past the walked descriptor.

Reject zero-length and overlong descriptors while walking endpoint
extras.

Comment 1 Mauro Matteo Cascella 2026-06-25 12:37:45 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062437-CVE-2026-52964-695e@gregkh/T