Linux Kernel: ALSA USB-Audio Driver Null Deref via Scarlett2 quirk
CVE-2026-43436 Published on May 8, 2026
ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
The Scarlett2 mixer quirk in USB-audio driver may hit a NULL
dereference when a malformed USB descriptor is passed, since it
assumes the presence of an endpoint in the parsed interface in
scarlett2_find_fc_interface(), as reported by fuzzer.
For avoiding the NULL dereference, just add the sanity check of
bNumEndpoints and skip the invalid interface.
Products Associated with CVE-2026-43436
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below b014cc945baba75816cda0cf8934be87c9ed4947 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below c5c5a6c53cf3b658f1d4512dfa61f3cd25bc34ba is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below b267255c15d2a5b90c4e926146aa155e5161e264 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 3d542cf3c4c854cdf5d58049771f68926b9eb2b9 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 3d4f23885e4b90347c9a1d779af6e79a99b5172a is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 is affected.
- Version 6.1.167, <= 6.1.* is unaffected.
- Version 6.6.130, <= 6.6.* is unaffected.
- Version 6.12.78, <= 6.12.* is unaffected.
- Version 6.18.19, <= 6.18.* is unaffected.
- Version 6.19.9, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.