CVE-2026-31778

Source
https://cve.org/CVERecord?id=CVE-2026-31778
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31778.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31778
Downstream
Related
Published
2026-05-01T14:15:05.804Z
Modified
2026-06-19T08:29:26.742045506Z
Summary
ALSA: caiaq: fix stack out-of-bounds read in init_card
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: fix stack out-of-bounds read in init_card

The loop creates a whitespace-stripped copy of the card shortname where len < sizeof(card->id) is used for the bounds check. Since sizeof(card->id) is 16 and the local id buffer is also 16 bytes, writing 16 non-space characters fills the entire buffer, overwriting the terminating nullbyte.

When this non-null-terminated string is later passed to sndcardsetid() -> copyvalididstring(), the function scans forward with while (*nid && ...) and reads past the end of the stack buffer, reading the contents of the stack.

A USB device with a product name containing many non-ASCII, non-space characters (e.g. multibyte UTF-8) will reliably trigger this as follows:

BUG: KASAN: stack-out-of-bounds in copyvalididstring sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in sndcardsetidnolock+0x698/0x74c sound/core/init.c:718

The off-by-one has been present since commit bafeee5b1f8d ("ALSA: sndusbcaiaq: give better shortname") from June 2009 (v2.6.31-rc1), which first introduced this whitespace-stripping loop. The original code never accounted for the null terminator when bounding the copy.

Fix this by changing the loop bound to sizeof(card->id) - 1, ensuring at least one byte remains as the null terminator.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31778.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bafeee5b1f8d32cbf791c322b40a6fa91d8ccf7a
Fixed
02d9c5b0b5553a391448b6d655262bd829f90234
Fixed
3f7f8bae0d52cbd07ab04b76b6aac89ef98ee9f6
Fixed
66194c2575a4f567577ae70b1d7561163ce791a6
Fixed
a82c1bce2d1299dd3c686a8fe48cf75b79a403c7
Fixed
3178b62e2e31bab39f63d4c8e54bf4ee0a425627
Fixed
3afa2e67f3523a980a2f90fd63c22322ac2b9ce0
Fixed
7594a6464873d90fd229e5b94cdd3b92c9feabed
Fixed
45424e871abf2a152e247a9cff78359f18dd95c0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31778.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.31
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31778.json"