{"api_version":"1","generated_at":"2026-06-26T01:06:36+00:00","cve":"CVE-2026-52964","urls":{"html":"https://cve.report/CVE-2026-52964","api":"https://cve.report/api/cve/CVE-2026-52964.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-52964","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-52964"},"summary":{"title":"ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans\n\nThe USB MIDI 2.0 endpoint parser has the same descriptor walking\npattern as the legacy MIDI parser. It validates bLength against\nbNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the\nremaining bytes in the endpoint-extra scan.\n\nA malformed device can therefore make later baAssoGrpTrmBlkID[] reads\nconsume bytes past the walked descriptor.\n\nReject zero-length and overlong descriptors while walking endpoint\nextras.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:06","updated_at":"2026-06-24 17:17:06"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f9c184a83574549a36ea69b755f650e57d164c78","name":"https://git.kernel.org/stable/c/f9c184a83574549a36ea69b755f650e57d164c78","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/17e76b19de1aff5ff4de64d269290bd1b07a01d3","name":"https://git.kernel.org/stable/c/17e76b19de1aff5ff4de64d269290bd1b07a01d3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a310b4bebda5e4a1b26520c0cc5145ccd6d617e2","name":"https://git.kernel.org/stable/c/a310b4bebda5e4a1b26520c0cc5145ccd6d617e2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fafc97bd01e4c737eaeafadfdadb1af4bbfa7307","name":"https://git.kernel.org/stable/c/fafc97bd01e4c737eaeafadfdadb1af4bbfa7307","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/918be519c7876329e1b6e2ea1c59f0b75e792dca","name":"https://git.kernel.org/stable/c/918be519c7876329e1b6e2ea1c59f0b75e792dca","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-52964","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52964","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff49d1df79aef7580fe3ac99d17c3f886655d080 fafc97bd01e4c737eaeafadfdadb1af4bbfa7307 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff49d1df79aef7580fe3ac99d17c3f886655d080 a310b4bebda5e4a1b26520c0cc5145ccd6d617e2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff49d1df79aef7580fe3ac99d17c3f886655d080 f9c184a83574549a36ea69b755f650e57d164c78 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff49d1df79aef7580fe3ac99d17c3f886655d080 17e76b19de1aff5ff4de64d269290bd1b07a01d3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ff49d1df79aef7580fe3ac99d17c3f886655d080 918be519c7876329e1b6e2ea1c59f0b75e792dca git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.5","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.5 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.141 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.91 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.33 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"52964","cve":"CVE-2026-52964","epss":"0.001750000","percentile":"0.072030000","score_date":"2026-06-25","updated_at":"2026-06-26 00:06:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["sound/usb/midi2.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"fafc97bd01e4c737eaeafadfdadb1af4bbfa7307","status":"affected","version":"ff49d1df79aef7580fe3ac99d17c3f886655d080","versionType":"git"},{"lessThan":"a310b4bebda5e4a1b26520c0cc5145ccd6d617e2","status":"affected","version":"ff49d1df79aef7580fe3ac99d17c3f886655d080","versionType":"git"},{"lessThan":"f9c184a83574549a36ea69b755f650e57d164c78","status":"affected","version":"ff49d1df79aef7580fe3ac99d17c3f886655d080","versionType":"git"},{"lessThan":"17e76b19de1aff5ff4de64d269290bd1b07a01d3","status":"affected","version":"ff49d1df79aef7580fe3ac99d17c3f886655d080","versionType":"git"},{"lessThan":"918be519c7876329e1b6e2ea1c59f0b75e792dca","status":"affected","version":"ff49d1df79aef7580fe3ac99d17c3f886655d080","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["sound/usb/midi2.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.5"},{"lessThan":"6.5","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.141","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.91","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.33","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.141","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.91","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.33","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"6.5","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans\n\nThe USB MIDI 2.0 endpoint parser has the same descriptor walking\npattern as the legacy MIDI parser. It validates bLength against\nbNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the\nremaining bytes in the endpoint-extra scan.\n\nA malformed device can therefore make later baAssoGrpTrmBlkID[] reads\nconsume bytes past the walked descriptor.\n\nReject zero-length and overlong descriptors while walking endpoint\nextras."}],"providerMetadata":{"dateUpdated":"2026-06-24T16:28:44.345Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/fafc97bd01e4c737eaeafadfdadb1af4bbfa7307"},{"url":"https://git.kernel.org/stable/c/a310b4bebda5e4a1b26520c0cc5145ccd6d617e2"},{"url":"https://git.kernel.org/stable/c/f9c184a83574549a36ea69b755f650e57d164c78"},{"url":"https://git.kernel.org/stable/c/17e76b19de1aff5ff4de64d269290bd1b07a01d3"},{"url":"https://git.kernel.org/stable/c/918be519c7876329e1b6e2ea1c59f0b75e792dca"}],"title":"ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-52964","datePublished":"2026-06-24T16:28:44.345Z","dateReserved":"2026-06-09T07:44:35.374Z","dateUpdated":"2026-06-24T16:28:44.345Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:06","lastModifiedDate":"2026-06-24 17:17:06","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"52964","Ordinal":"1","Title":"ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans","CVE":"CVE-2026-52964","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"52964","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans\n\nThe USB MIDI 2.0 endpoint parser has the same descriptor walking\npattern as the legacy MIDI parser. It validates bLength against\nbNumGrpTrmBlock before reading baAssoGrpTrmBlkID[], but not against the\nremaining bytes in the endpoint-extra scan.\n\nA malformed device can therefore make later baAssoGrpTrmBlkID[] reads\nconsume bytes past the walked descriptor.\n\nReject zero-length and overlong descriptors while walking endpoint\nextras.","Type":"Description","Title":"ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans"}]}}}