U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2026-23318 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 header could exploit this to cause out-of-bounds reads when the driver later accesses unvalidated descriptor fields. The bug was introduced in the same commit as the recently fixed UAC3 feature unit sub-type typo, and appears to be from the same copy-paste error when the UAC3 section was created from the UAC2 section.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/0dcd1ed96c03459cf14706885c9dd3c1fd8bd29f kernel.org Patch 
https://git.kernel.org/stable/c/1e5753ff4c2e86aa88516f97a224c90a3d0b133e kernel.org Patch 
https://git.kernel.org/stable/c/499ffd15b00dc91ac95c28f76959dfb5cdcc84d5 kernel.org Patch 
https://git.kernel.org/stable/c/54f9d645a5453d0bfece0c465d34aaf072ea99fa kernel.org Patch 
https://git.kernel.org/stable/c/82a7d0a1b88798de1a609130080ce0c65dd869e9 kernel.org Patch 
https://git.kernel.org/stable/c/8307d93e63d5f54ef10412d4db2dd551e920dee4 kernel.org Patch 
https://git.kernel.org/stable/c/a0c6ae2ea84528f198bf7fd0117f12fd0cf6d7cc kernel.org Patch 
https://git.kernel.org/stable/c/d3904ca40515272681ae61ad6f561c24f190957f kernel.org Patch 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-125 Out-of-bounds Read cwe source acceptance level NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2026-23318
NVD Published Date:
03/25/2026
NVD Last Modified:
04/23/2026
Source:
kernel.org