CVE-2026-46146
A vulnerability exists in the Linux kernel's USB audio driver that could cause the system to hang indefinitely when processing a specially crafted USB device descriptor. The flaw is in the convert_chmap_v3() function, which processes audio channel mapping information without properly validating the descriptor size field. An attacker with local access could trigger this endless loop, causing a denial of service. The issue affects multiple versions of the Linux kernel and requires local access to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-835
- Affected products
- 9 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor. Add a proper size check to abort the loop for plugging the hole.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46146 is an infinite loop vulnerability in the ALSA (Advanced Linux Sound Architecture) USB audio subsystem, specifically in the convert_chmap_v3() function. The function iterates through a channel map descriptor using a loop increment based on the cs_desc->wLength field without validating that this field contains a valid non-zero value. A malformed or adversarial USB descriptor with an invalid wLength value can cause the loop to never terminate, leading to a kernel hang. The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition). The fix involves adding proper bounds checking on the descriptor size before relying on it as a loop increment.
Business impact
This vulnerability allows a local attacker to trigger a kernel hang that affects system availability. On systems where users have the ability to connect USB devices—such as laptops, workstations, or systems with physical access exposure—an attacker could insert a malicious USB device to deny service to all users. In environments managing audio devices (recording studios, multimedia production, VoIP systems), this represents a targeted availability risk. The impact is confined to denial of service; there is no data exposure or privilege escalation risk.
Affected systems
The Linux kernel across multiple versions is affected, as indicated by the vendors_products data showing the vulnerability spans several kernel releases. Any Linux distribution shipping an affected kernel version with the ALSA USB audio driver compiled is potentially vulnerable. Systems that disable USB audio support or restrict USB device access are not affected. The vulnerability requires a system where USB devices can be connected or where local user access is available.
Exploitability
Exploitation requires local access (local attack vector) and the ability to either connect a USB device or have unprivileged user-level access to trigger the vulnerable code path. The attack complexity is low once local access is obtained—an attacker simply needs to plug in a malformed USB audio device or load a specially crafted descriptor. However, the CVSS score of 5.5 reflects the local-only requirement and the lack of privilege escalation impact. This is not remotely exploitable and does not appear on the CISA KEV catalog, indicating lower exploitation prevalence in real-world attacks to date.
Remediation
Apply the Linux kernel security patch that adds proper validation of the cs_desc->wLength field in the convert_chmap_v3() function before using it as a loop increment. Verify the patch against the official Linux kernel security advisory and your distribution's advisory. Systems should prioritize patching if they operate in environments where untrusted users have USB device access or if USB audio functionality is actively used. As an interim measure, disabling USB audio support via kernel module blacklist or via BIOS/firmware USB restrictions can mitigate risk, though this is not a long-term solution.
Patch guidance
Update to a patched Linux kernel version provided by your distribution vendor. Check your Linux distribution's security advisory portal for the specific patched kernel version available for your release. Kernel patches typically require a system reboot to take effect. Before applying, verify the patch matches the official upstream fix and test in a non-production environment if possible. Document the patching cycle and coordinate with your infrastructure and operations teams.
Detection guidance
Monitor for kernel hang events, especially correlated with USB device connection attempts or insertion. Check kernel logs (dmesg, journalctl) for signs of CPU hung detection or softlockup warnings occurring in the usb-audio driver or convert_chmap_v3() function. Implement endpoint detection and response (EDR) rules to flag unexpected kernel panics or hangs following USB audio descriptor processing. For proactive detection during development or testing, enable kernel debugging symbols and use tracing tools to capture descriptor values being processed by the vulnerable function.
Why prioritize this
Prioritize this patch for systems where USB audio devices are actively used or where physical USB access is a realistic threat model. Workstations, laptops, and kiosk-style systems warrant higher priority. Data center servers without USB audio requirements can deprioritize unless they operate in high-availability environments where any kernel hang is unacceptable. The MEDIUM severity and local-only requirement allow for a scheduled patching window rather than emergency action, but denial-of-service vulnerabilities should not be deferred indefinitely.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a MEDIUM severity assessment. The score factors in: (1) local attack vector—limiting exposure to systems where an attacker can gain local presence; (2) low attack complexity—the malformed descriptor is straightforward to construct; (3) low privilege requirement—unprivileged users can trigger the flaw; (4) high impact on availability—the endless loop causes a kernel hang affecting all users; and (5) no impact on confidentiality or integrity. This score appropriately captures the denial-of-service risk without inflating severity due to the local access requirement.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. The attack vector is explicitly local (AV:L in the CVSS vector). An attacker must have physical or logical access to the system to connect a USB device or interact with the USB subsystem. Remote network-based exploitation is not possible.
What happens when this vulnerability is triggered?
When triggered, the convert_chmap_v3() function enters an infinite loop that consumes CPU cycles and causes the kernel to hang. This results in a denial of service affecting all users and services on the system. The system will appear frozen or unresponsive until it is forcibly rebooted.
Do all Linux systems need to patch this immediately?
No. Systems that do not use USB audio functionality, or where USB device connection is physically blocked or administratively restricted, face minimal risk. Prioritize patching on systems where USB audio is actively used or where untrusted users have physical access. Data center systems without USB requirements can follow standard patching cycles.
How does this differ from other kernel denial-of-service issues?
This is a targeted denial-of-service vulnerability specific to USB audio descriptor processing. It does not allow privilege escalation or data exfiltration. It affects system availability rather than security in the traditional sense. The fix is localized to one driver subsystem, making it a lower-risk patch to deploy compared to more invasive kernel changes.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Organizations should verify patch availability and compatibility with their specific kernel versions and distributions via official vendor advisories. Exploitation risk and attack surface vary based on system configuration, USB access policies, and deployment context. This assessment does not constitute security advice for any specific environment; consult with your security team and vendor guidance before making patching decisions. SEC.co makes no warranty regarding the completeness or accuracy of derived risk assessments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10028MEDIUM
CVE-2026-10028: glib-networking GnuTLS Certificate Validation Denial-of-Service
- CVE-2026-41150MEDIUM
CVE-2026-41150: Mermaid Gantt Chart DoS via Excludes Attribute | SEC.co
- CVE-2025-71313MEDIUM
CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUM
CVE-2025-71314: Linux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUM
CVE-2026-10004: Chrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUM
CVE-2026-10018: Integer Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUM
CVE-2026-10912: Chrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUM
CVE-2026-10916: Chrome DevTools UXSS Vulnerability | SEC.co Analysis