5.5

CVE-2026-43436

ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces

The Scarlett2 mixer quirk in USB-audio driver may hit a NULL
dereference when a malformed USB descriptor is passed, since it
assumes the presence of an endpoint in the parsed interface in
scarlett2_find_fc_interface(), as reported by fuzzer.

For avoiding the NULL dereference, just add the sanity check of
bNumEndpoints and skip the invalid interface.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.14 < 6.1.167
LinuxLinux Kernel Version >= 6.2 < 6.6.130
LinuxLinux Kernel Version >= 6.7 < 6.12.78
LinuxLinux Kernel Version >= 6.13 < 6.18.19
LinuxLinux Kernel Version >= 6.19 < 6.19.9
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/b014cc945baba75816cda0cf8934be87c9ed4947
Patch
https://git.kernel.org/stable/c/c5c5a6c53cf3b658f1d4512dfa61f3cd25bc34ba
Patch
https://git.kernel.org/stable/c/b267255c15d2a5b90c4e926146aa155e5161e264
Patch
https://git.kernel.org/stable/c/3d542cf3c4c854cdf5d58049771f68926b9eb2b9
Patch
https://git.kernel.org/stable/c/3d4f23885e4b90347c9a1d779af6e79a99b5172a
Patch
https://git.kernel.org/stable/c/df1d8abf36ca3681c21a6809eaa9a1e01ef897a6
Patch