CVE-2026-23078

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel's ALSA subsystem, specifically within the scarlett2 module. A logic error in the scarlett2 usb get config() function’s endianness conversion code can lead to buffer overflows when the count variable is greater than 1. The issue arises because the code incorrectly checks the total buffer size (size) instead of the element size (config item->size), resulting in out-of-bounds memory access during the endianness conversion loop. The loop attempts to access count * 2 bytes, potentially exceeding the allocated buffer size of size bytes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

CVE-2026-23078

ECHO-1CE9-8B17-D965

OPENSUSE-SU-2026:20416-1

SUSE-SU-2026:0962-1

SUSE-SU-2026:1081-1

SUSE-SU-2026:20667-1

SUSE-SU-2026:20720-1

SUSE-SU-2026:20838-1

SUSE-SU-2026:20845-1

SUSE-SU-2026:20876-1

SUSE-SU-2026:20931-1

SUSE-SU-2026:21284-1

USN-8162-1

USN-8180-1

USN-8180-2

USN-8180-3

USN-8180-4

USN-8180-5

USN-8180-6

USN-8186-1

USN-8187-1

USN-8188-1

USN-8243-1

USN-8275-1

USN-8278-1

USN-8278-2

USN-8289-1

USN-8289-2

USN-8296-1

USN-8296-2

USN-8297-1

USN-8393-1

Affected Products

Linuxmint

Linux Kernel

Ubuntu

Scarlett2

CVE-2026-23078

Weakness Enumeration

Related Identifiers

Affected Products

References · 2184