CVE-2026-46184: Linux ua101 USB Audio Driver Division-by-Zero Denial-of-Service
A USB audio device driver in the Linux kernel can crash if a malformed device provides zero audio channels. The driver fails to validate a critical USB descriptor field before using it in calculations, leading to a division-by-zero error when the device is connected. An attacker with physical access to plug in a crafted USB device could trigger a kernel panic on vulnerable systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-369
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: sound: ua101: fix division by zero at probe Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete(). USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46184 addresses a division-by-zero vulnerability in the Linux kernel's ua101 USB audio driver. The vulnerability exists in the detect_usb_format() function, which lacks validation of the bNrChannels field from the USB device's class-specific descriptor. When bNrChannels is zero, the derived frame_bytes value becomes zero. This zero value is later used as a divisor in the playback_urb_complete() and capture_urb_complete() interrupt handlers, causing a kernel division-by-zero exception. The vulnerability is classified as CWE-369 (Divide By Zero). The USB core specification does not mandate validation of class-specific descriptor fields, placing the burden on individual drivers to implement defensive checks.
Business impact
A successful exploit causes a denial-of-service via kernel panic. Systems relying on affected Linux kernels will crash upon connection of a malicious USB audio device, disrupting availability. The impact is localized to the affected host; there is no data breach or privilege escalation. Recovery requires manual intervention or reboot. For environments with strict uptime requirements or unattended systems, this represents a material operational risk.
Affected systems
The Linux kernel's ua101 audio driver is affected. This driver supports Behringer U-Audio UAB-101 and similar USB audio interfaces. The vulnerability affects all kernel versions prior to the fix; verify the specific patched version against your distribution's advisory. Systems must have the ua101 driver compiled and loaded for exposure.
Exploitability
Exploitation requires physical access to connect a USB device to the target system. The attack requires no user interaction beyond normal device enumeration. No authentication or elevated privileges are needed on the host; a local user with USB port access can trigger the crash. The bar for crafting a malicious device is low—a standard USB fuzzing tool or a re-programmed microcontroller can produce a descriptor with bNrChannels=0. However, the attack surface is limited to systems with the ua101 driver enabled and physical USB access permitted.
Remediation
Apply the kernel patch that adds bNrChannels validation in detect_usb_format(). The fix enforces a sanity check to reject devices reporting zero channels before frame_bytes is computed. Verify the patched kernel version from your Linux distribution's security advisory. For systems unable to patch immediately, disable the ua101 driver if not in use, or restrict physical USB access via BIOS, firmware, or policy controls.
Patch guidance
Obtain the latest kernel update from your distribution maintainer. Verify the fix is present by confirming that detect_usb_format() now validates bNrChannels before performing calculations. Test the patch by connecting known-good USB audio devices to ensure normal operation. Reboot to activate the updated kernel.
Detection guidance
Monitor kernel logs for division-by-zero panics or oops messages originating from the ua101 driver or URB completion handlers. On systems with USB device logging enabled, look for enumeration events immediately preceding crashes. Intrusion detection systems can flag attempts to connect USB devices with malformed descriptors, though this requires USB descriptor inspection at the host level. Host-based monitoring should alert on unexpected kernel crashes coinciding with USB device connection events.
Why prioritize this
While the CVSS score of 5.5 (MEDIUM) reflects the requirement for physical access, the ease of exploitation—combined with the certainty of denial-of-service—warrants prompt patching for systems exposed to untrusted USB ports. Prioritize systems in multi-user environments, kiosks, public terminals, or facilities where physical security is not absolute. Data centers and isolated production systems with restricted USB access may apply normal patch cycles.
Risk score, explained
The CVSS:3.1 score of 5.5 reflects: Attack Vector Local (L), Attack Complexity Low (L), Privileges Required for non-default operation (L), User Interaction None (N), and a high impact to Availability (A). The score does not account for Confidentiality or Integrity, as the vulnerability causes a crash without data exposure or system compromise. The medium severity reflects the barrier of physical access required, balanced against the certainty and ease of triggering a denial-of-service.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The attack requires physical access to a USB port. The vulnerability cannot be triggered over a network or by a remote user without physical device access.
What is the user impact if my system is patched?
If the patch is applied, attempting to connect a malicious USB audio device will result in the device being rejected during enumeration with a kernel warning or log entry. Normal operation of legitimate USB audio devices is unaffected.
Do I need the ua101 driver for this to affect my system?
Yes. The vulnerability is specific to the Behringer U-Audio ua101 driver. If this driver is not compiled into your kernel or not loaded as a module, your system is not vulnerable.
What should I do if I cannot patch immediately?
Restrict physical USB access via BIOS/firmware settings, disable the ua101 driver if unused, or isolate systems from untrusted environments. Ensure USB port security policies are enforced.
This analysis is based on the CVE record and public vulnerability data as of the publication date. Patch availability and version numbers should be verified against your specific Linux distribution's security advisory. Testing in a non-production environment is recommended before deploying patches. Physical security controls and USB policies vary by organization; assess your environment's exposure independently. SEC.co makes no warranty regarding the completeness or accuracy of this information for your specific systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46161MEDIUMLinux Kernel RAID10 Divide-by-Zero Denial of Service
- CVE-2025-70100MEDIUMlwext4 Divide-by-Zero Denial of Service (MEDIUM)
- CVE-2026-10201LOWAssimp FBX Divide-by-Zero Denial of Service
- CVE-2026-37232HIGHOpenAirInterface5G KPM Division-by-Zero DoS Vulnerability
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer