CVE-2026-31778

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: caiaq: fix stack out-of-bounds read in init_card<br /> <br /> The loop creates a whitespace-stripped copy of the card shortname<br /> where `len id)` is used for the bounds check. Since<br /> sizeof(card-&gt;id) is 16 and the local id buffer is also 16 bytes,<br /> writing 16 non-space characters fills the entire buffer,<br /> overwriting the terminating nullbyte.<br /> <br /> When this non-null-terminated string is later passed to<br /> snd_card_set_id() -&gt; copy_valid_id_string(), the function scans<br /> forward with `while (*nid &amp;&amp; ...)` and reads past the end of the<br /> stack buffer, reading the contents of the stack.<br /> <br /> A USB device with a product name containing many non-ASCII, non-space<br /> characters (e.g. multibyte UTF-8) will reliably trigger this as follows:<br /> <br /> BUG: KASAN: stack-out-of-bounds in copy_valid_id_string<br /> sound/core/init.c:696 [inline]<br /> BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c<br /> sound/core/init.c:718<br /> <br /> The off-by-one has been present since commit bafeee5b1f8d ("ALSA:<br /> snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),<br /> which first introduced this whitespace-stripping loop. The original<br /> code never accounted for the null terminator when bounding the copy.<br /> <br /> Fix this by changing the loop bound to `sizeof(card-&gt;id) - 1`,<br /> ensuring at least one byte remains as the null terminator.