{ "threat_severity" : "Moderate", "public_date" : "2025-12-06T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel ALSA USB audio driver: Buffer overflow leading to information disclosure and denial of service", "id" : "2419919", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2419919" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-131", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nALSA: usb-audio: Fix potential overflow of PCM transfer buffer\nThe PCM stream data in USB-audio driver is transferred over USB URB\npacket buffers, and each packet size is determined dynamically. The\npacket sizes are limited by some factors such as wMaxPacketSize USB\ndescriptor. OTOH, in the current code, the actually used packet sizes\nare determined only by the rate and the PPS, which may be bigger than\nthe size limit above. This results in a buffer overflow, as reported\nby syzbot.\nBasically when the limit is smaller than the calculated packet size,\nit implies that something is wrong, most likely a weird USB\ndescriptor. So the best option would be just to return an error at\nthe parameter setup time before doing any further operations.\nThis patch introduces such a sanity check, and returns -EINVAL when\nthe packet size is greater than maxpacksize. The comparison with\nep->packsize[1] alone should suffice since it's always equal or\ngreater than ep->packsize[0].", "A flaw was found in the ALSA USB audio driver of the Linux kernel. This vulnerability, a buffer overflow, occurs when the size of the Pulse-Code Modulation (PCM) stream data packets exceeds the maximum allowed by the USB descriptor. A local attacker could exploit this by providing specially crafted USB audio device parameters, causing the PCM transfer buffer to overflow. This could lead to sensitive information disclosure and potentially result in a denial of service (DoS)." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2721", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.38.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2761", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.60.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2378", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.104.1.rt7.445.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2264", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.104.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-03-25T00:00:00Z", "advisory" : "RHSA-2026:5821", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.187.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-03-25T00:00:00Z", "advisory" : "RHSA-2026:5821", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.187.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-03-11T00:00:00Z", "advisory" : "RHSA-2026:4243", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.183.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-03-11T00:00:00Z", "advisory" : "RHSA-2026:4243", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.183.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-03-11T00:00:00Z", "advisory" : "RHSA-2026:4243", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.183.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-03-11T00:00:00Z", "advisory" : "RHSA-2026:4242", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.132.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-03-11T00:00:00Z", "advisory" : "RHSA-2026:4242", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.132.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2212", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.30.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2212", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.30.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3293", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.167.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3375", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.167.1.rt21.239.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3267", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.158.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3358", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.158.1.rt14.443.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2766", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.111.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2759", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.89.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Under investigation", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40269\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40269\nhttps://lore.kernel.org/linux-cve-announce/2025120716-CVE-2025-40269-9769@gregkh/T" ], "name" : "CVE-2025-40269", "mitigation" : { "value" : "To mitigate this issue, prevent the `snd_usb_audio` kernel module from loading if USB audio functionality is not required. Create a file `/etc/modprobe.d/disable-snd-usb-audio.conf` with the following content:\n`install snd_usb_audio /bin/true`\nAfter creating the file, a system reboot is required for the changes to take effect. This action will disable all USB audio device functionality.", "lang" : "en:us" }, "csaw" : false }