CVE Catalog

CVE-2026-46088

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, the ALSA control function snd_ctl_elem_init_enum_names() lacks validation of buf_len before calling strnlen(). When buf_len reaches zero but items remain, calling strnlen(p, 0) with CONFIG_FORTIFY_SOURCE enabled may cause a kernel panic (BRK exception) instead of safely handling the error.

Risk Assessment

The risk is that an attacker could trigger a kernel panic (denial of service) by supplying specially crafted control data to the ALSA interface, potentially causing system crash.

Recommendation

Immediately update the Linux kernel to a version containing the fix that adds a buf_len == 0 guard at the loop entry in snd_ctl_elem_init_enum_names().

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS