CVE-2026-25068: CWE-129 Improper Validation of Array Index in ALSA Project alsa-lib
alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.
AI Analysis
Technical Summary
The vulnerability arises from improper validation of an array index in alsa-lib's topology mixer control decoder. Specifically, the tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without checking it against the fixed-size channel array limit (SND_TPLG_MAX_CHAN). This can cause heap-based buffer overflow due to out-of-bounds writes when a crafted topology file specifies an excessive num_channels value. The affected versions are 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33. The CVSS 4.0 score is 4.6, indicating medium severity with local attack vector and low complexity.
Potential Impact
Successful exploitation can cause a heap-based buffer overflow leading to application crashes. The vulnerability requires local access and user interaction (UI:A), with no privileges required. There is no indication of code execution or privilege escalation. No known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed as no official patch or vendor advisory is provided. Users should monitor the ALSA Project for updates or commits addressing this issue, specifically referencing commit 5f7fe33 or later. Until a patch is available, avoid processing untrusted or crafted .tplg topology files to mitigate risk.
CVE-2026-25068: CWE-129 Improper Validation of Array Index in ALSA Project alsa-lib
Description
alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.
CVSS v4.0
Score 4.6medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from improper validation of an array index in alsa-lib's topology mixer control decoder. Specifically, the tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without checking it against the fixed-size channel array limit (SND_TPLG_MAX_CHAN). This can cause heap-based buffer overflow due to out-of-bounds writes when a crafted topology file specifies an excessive num_channels value. The affected versions are 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33. The CVSS 4.0 score is 4.6, indicating medium severity with local attack vector and low complexity.
Potential Impact
Successful exploitation can cause a heap-based buffer overflow leading to application crashes. The vulnerability requires local access and user interaction (UI:A), with no privileges required. There is no indication of code execution or privilege escalation. No known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed as no official patch or vendor advisory is provided. Users should monitor the ALSA Project for updates or commits addressing this issue, specifically referencing commit 5f7fe33 or later. Until a patch is available, avoid processing untrusted or crafted .tplg topology files to mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-28T21:47:35.120Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 697bb4b4ac06320222af609b
Added to database: 1/29/2026, 7:27:48 PM
Last enriched: 5/26/2026, 7:42:09 AM
Last updated: 6/15/2026, 10:30:03 AM
Views: 185
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.