{"id":"CVE-2026-46088","summary":"ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()\n\nsnd_ctl_elem_init_enum_names() advances pointer p through the names\nbuffer while decrementing buf_len. If buf_len reaches zero but items\nremain, the next iteration calls strnlen(p, 0).\n\nWhile strnlen(p, 0) returns 0 and would hit the existing name_len == 0\nerror path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks\nmaxlen against __builtin_dynamic_object_size(). When Clang loses track\nof p's object size inside the loop, this triggers a BRK exception panic\nbefore the return value is examined.\n\nAdd a buf_len == 0 guard at the loop entry to prevent calling fortified\nstrnlen() on an exhausted buffer.\n\nFound by kernel fuzz testing through Xiaomi Smartphone.","modified":"2026-06-05T18:29:38.873483262Z","published":"2026-05-27T12:58:31.895Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46088.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/654c818a69c21d2bea4e8fd9eae7da865df9a5c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/708f6ec9bcdf58bfd561409110baaf4fd3be4ea3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/82012fd3e78a14360fbc2f1a7491589896704f97"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a470f7cabc4df72d9bd132f5719a8717292bb440"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bfcbb4994da9e979c4bcfcf24aaaac69e457e48e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e0da8a8cac74f4b9f577979d131f0d2b88a84487"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46088.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46088"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4"},{"fixed":"708f6ec9bcdf58bfd561409110baaf4fd3be4ea3"},{"fixed":"bfcbb4994da9e979c4bcfcf24aaaac69e457e48e"},{"fixed":"a470f7cabc4df72d9bd132f5719a8717292bb440"},{"fixed":"1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0"},{"fixed":"8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e"},{"fixed":"654c818a69c21d2bea4e8fd9eae7da865df9a5c8"},{"fixed":"82012fd3e78a14360fbc2f1a7491589896704f97"},{"fixed":"e0da8a8cac74f4b9f577979d131f0d2b88a84487"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46088.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46088.json"}}],"schema_version":"1.7.5"}