In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Bound MIDI endpoint descriptor scans
sndusbmidigetmsinfo() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan.
That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan.
Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52963.json",
"cna_assigner": "Linux"
}