CVE-2026-25068
- Source
- https://cve.org/CVERecord?id=CVE-2026-25068
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25068.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25068
- Downstream
- Published
- 2026-01-29T20:16:10.623Z
- Modified
- 2026-04-12T20:28:25.600133Z
- Severity
-
- 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplgdecodecontrolmixer1() function reads the numchannels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SNDTPLGMAXCHAN). A crafted topology file with an excessive numchannels value can cause out-of-bounds heap writes, leading to a crash.
- References
Affected packages
Git / github.com/alsa-project/alsa-lib
Affected ranges
- Type
- GIT
- Repo
- https://github.com/alsa-project/alsa-lib
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.10
v1.0.10rc1
v1.0.10rc2
v1.0.10rc3
v1.0.11
v1.0.11rc1
v1.0.11rc2
v1.0.11rc3
v1.0.11rc4
v1.0.11rc5
v1.0.12
v1.0.12rc1
v1.0.12rc2
v1.0.13
v1.0.13rc1
v1.0.13rc2
v1.0.13rc3
v1.0.14
v1.0.14a
v1.0.14rc1
v1.0.14rc2
v1.0.14rc3
v1.0.14rc4
v1.0.15
v1.0.15rc1
v1.0.15rc2
v1.0.15rc3
v1.0.16
v1.0.16rc1
v1.0.16rc2
v1.0.17
v1.0.17a
v1.0.17rc1
v1.0.17rc2
v1.0.18
v1.0.18rc3
v1.0.19
v1.0.20
v1.0.21
v1.0.21a
v1.0.22
v1.0.23
v1.0.24
v1.0.24.1
v1.0.25
v1.0.26
v1.0.27
v1.0.27.1
v1.0.27.2
v1.0.28
v1.0.29
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.0.9rc1
v1.0.9rc2
v1.0.9rc3
v1.0.9rc4
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.4.1
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.1
v1.2.1.1
v1.2.1.2
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.15.1
v1.2.15.2
v1.2.15.3
v1.2.2
v1.2.3
v1.2.3.1
v1.2.3.2
v1.2.4
v1.2.5
v1.2.6
v1.2.6.1
v1.2.7
v1.2.7.1
v1.2.7.2
v1.2.8
v1.2.9
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"source": "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40",
"signature_version": "v1",
"target": {
"file": "src/topology/ctl.c"
},
"id": "CVE-2026-25068-04f3a047",
"deprecated": false,
"digest": {
"line_hashes": [
"40889492823950341381219997890138818637",
"215537673880048521820366870348777685505",
"319064719151019657717276530282089549044",
"301499185625432265915833169725067162728"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"source": "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40",
"signature_version": "v1",
"target": {
"file": "src/topology/ctl.c",
"function": "tplg_decode_control_mixer1"
},
"id": "CVE-2026-25068-0cbbd58c",
"deprecated": false,
"digest": {
"function_hash": "207084074088684355095339922975343511881",
"length": 2444.0
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25068.json"
vanir_signatures_modified
"2026-04-12T20:28:25Z"