CVE-2026-31620

Source
https://cve.org/CVERecord?id=CVE-2026-31620
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31620.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31620
Downstream
Related
Published
2026-04-24T14:42:38.607Z
Modified
2026-06-18T03:56:10.267120163Z
Summary
ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0

A malicious USB device with the TASCAM US-144MKII device id can have a configuration containing bInterfaceNumber=1 but no interface 0. USB configuration descriptors are not required to assign interface numbers sequentially, so usbifnumto_if(dev, 0) returns will NULL, which will then be dereferenced directly.

Fix this up by checking the return value properly.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31620.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dee1bcf28a3dd13ddb2e9200407864f73e9c4d63
Fixed
09b145c1f1331c40dc955c0024d636f25417cddb
Fixed
fbaf29ce00e7bce683f3faf4f2b326bd0a9e6602
Fixed
d04dd67ab10dc978c6c843c6bd6a2a66a9444f51
Fixed
48bd344e1040b9f2eb512be73c13f5db83efc191

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31620.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.18.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31620.json"