CVE-2026-52963 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Bound MIDI endpoint descriptor scans

snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint
descriptor size before using baAssocJackID[], but the descriptor walker can
still return a class-specific endpoint descriptor whose bLength exceeds the
remaining bytes in the endpoint-extra scan.

That leaves later flexible-array reads bounded by bLength, but not by the
remaining bytes in the endpoint-extra scan.

Stop walking when bLength is zero or
extends past the remaining endpoint-extra scan.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< e2f1260a056eb3215c13c48c5378f3e4112dc3af
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< c65b137d351e21cbc5630e73ef0eb1e1d75f5b20
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< 728ab0c72e49ca27185067984cd565425eb69b2e
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< 3d3b2b01a3e73828e201ece96f863e7a3e0cdc6e
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< a0226560540c16717efcceaf15c862cf115b01d3
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< 09141583bd97f4bbd7358e29fd138fe798467cdb
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< c59159ce10e75b568cd0d4b29efcb0fb0ddecc94
`5c6cd7021a05a02fcf37f360592d7c18d4d807fb`	affected	< d6854daa67be623860f4e1873fd3d3c275aba4ed
`9e0c71f2f633b0442661966228827d1a33df485f`	affected	—
`0868bc5654c07628c421547f0821650a8c2cb8f3`	affected	—
`78483c1c7741ffa72991d93d19a75bfdcc2cbf57`	affected	—
`65d95462001c6ccd9bc9499c1fc9a90eca9de496`	affected	—
`ca767cf0152d18fc299cde85b18d1f46ac21e1ba`	affected	—
`4.4.238`	affected	< 4.5
`4.9.238`	affected	< 4.10
`4.14.200`	affected	< 4.15
`4.19.149`	affected	< 4.20
`5.4.69`	affected	< 5.5

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/09141583bd97f4bbd7358e29fd138fe798467cdb
https://git.kernel.org/stable/c/3d3b2b01a3e73828e201ece96f863e7a3e0cdc6e
https://git.kernel.org/stable/c/728ab0c72e49ca27185067984cd565425eb69b2e
https://git.kernel.org/stable/c/a0226560540c16717efcceaf15c862cf115b01d3
https://git.kernel.org/stable/c/c59159ce10e75b568cd0d4b29efcb0fb0ddecc94
https://git.kernel.org/stable/c/c65b137d351e21cbc5630e73ef0eb1e1d75f5b20
https://git.kernel.org/stable/c/d6854daa67be623860f4e1873fd3d3c275aba4ed
https://git.kernel.org/stable/c/e2f1260a056eb3215c13c48c5378f3e4112dc3af

History

Wed, 24 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Bound MIDI endpoint descriptor scans snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.
Title		ALSA: usb-audio: Bound MIDI endpoint descriptor scans
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/09141583bd97f4bbd7358e29fd138fe798467cdb https://git.kernel.org/stable/c/3d3b2b01a3e73828e201ece96f863e7a3e0cdc6e https://git.kernel.org/stable/c/728ab0c72e49ca27185067984cd565425eb69b2e https://git.kernel.org/stable/c/a0226560540c16717efcceaf15c862cf115b01d3 https://git.kernel.org/stable/c/c59159ce10e75b568cd0d4b29efcb0fb0ddecc94 https://git.kernel.org/stable/c/c65b137d351e21cbc5630e73ef0eb1e1d75f5b20 https://git.kernel.org/stable/c/d6854daa67be623860f4e1873fd3d3c275aba4ed https://git.kernel.org/stable/c/e2f1260a056eb3215c13c48c5378f3e4112dc3af

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:28:43.593Z

Updated: 2026-06-24T16:28:43.593Z

Reserved: 2026-06-09T07:44:35.374Z

Link: CVE-2026-52963

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T18:30:06Z

Weaknesses

CWE-125

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object