CVE-2026-31602: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-31602 Overview

CVE-2026-31602 is a Linux kernel vulnerability in the ALSA snd_ctxfi sound driver for Creative CT20K2 audio hardware. The flaw resides in the ct_vm_map() function, which performs virtual memory mapping for playback streams. A prior change increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the driver continues to use only vm->ptp[0].area for page table entries (PTEs). When aggregate playback memory allocations exceed the single-page PTE capacity, the driver accesses memory beyond the allocated region and triggers a page fault in kernel space.

Critical Impact

Local users with access to ALSA playback devices on systems using the snd_ctxfi driver can trigger a kernel page fault leading to denial of service via ct_vm_map+0x17c/0x280.

Affected Products

• Linux Kernel versions containing commit 391e69143d0a (which raised CT_PTP_NUM to 4)
• Systems with Creative Technology CT20K2-based audio hardware using the snd_ctxfi driver
• AMD64 platforms where a single PTP covers 512 PTEs (2M of mapped audio buffer)

Discovery Timeline

• 2026-04-24 - CVE-2026-31602 published to NVD
• 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-31602

Vulnerability Analysis

The vulnerability is an out-of-bounds write in the ALSA ctxfi driver triggered through normal PCM playback preparation. The driver's virtual memory manager allocates four page table pages (CT_PTP_NUM = 4) when initialized, but ct_vm_map() indexes only into vm->ptp[0].area when populating PTEs. On AMD64 systems each PTP backs 512 PTEs, corresponding to 2 MB of mapped audio buffer space. When the total of active playback allocations exceeds this 2 MB window, the function writes past the end of the single allocated page.

The resulting page fault surfaces during snd_pcm_ioctl → snd_pcm_do_prepare → ct_pcm_playback_prepare → atc_pcm_playback_prepare → ct_vm_map, taking the kernel offline with an Oops at RIP: ct_vm_map+0x17c/0x280 [snd_ctxfi]. Any local user with permission to open /dev/snd/pcm* playback nodes can reach this code path.

Root Cause

The root cause is an inconsistency between memory allocation and memory access. Commit 391e69143d0a expanded the PTP pool to four pages to advertise 256 playback streams, but the CT20K2 hardware exposes multiple VMEM_PTPAL registers that the driver does not separately program. The mapping logic in ct_vm_map() was never refactored to spread PTE writes across vm->ptp[1..3], so it continues to treat the PTP as a single contiguous page. The fix reverts CT_PTP_NUM to 1 while keeping SRC_RESOURCE_NUM and playback_count at 256.

Attack Vector

Exploitation is local and requires permission to open ALSA PCM playback devices, typically granted to members of the audio group or via session policy on desktop systems. An attacker opens enough playback substreams or allocates large enough DMA buffers to push aggregate mapped memory beyond 2 MB, then issues a SNDRV_PCM_IOCTL_PREPARE to trigger ct_vm_map(). The kernel write past the PTP boundary corrupts adjacent memory and produces a fatal Oops, achieving denial of service. The vulnerability does not require network access or user interaction beyond the local ioctl sequence.

No public proof-of-concept exploit code is available. The vulnerability mechanism is documented in the upstream kernel commit logs referenced below.

Detection Methods for CVE-2026-31602

Indicators of Compromise

• Kernel Oops messages referencing ct_vm_map+0x17c/0x280 [snd_ctxfi] in dmesg or /var/log/kern.log
• BUG: unable to handle page fault entries with call traces including atc_pcm_playback_prepare and ct_pcm_playback_prepare
• Unexpected audio subsystem crashes on hosts with Creative CT20K2 (Sound Blaster X-Fi Titanium series) hardware

Detection Strategies

• Inventory hosts loading the snd_ctxfi module via lsmod | grep snd_ctxfi and correlate with installed kernel versions
• Monitor kernel ring buffer telemetry for page fault signatures originating in ALSA call paths
• Track local processes that open large numbers of /dev/snd/pcmC*D*p device nodes within short time windows

Monitoring Recommendations

• Forward kern.log and journald kernel facility messages to a centralized log platform and alert on Oops keywords tied to snd_ctxfi
• Audit membership of the audio group and other groups granting access to /dev/snd/* devices on multi-user systems
• Track kernel package versions across the fleet to identify hosts still running kernels prior to the fix

How to Mitigate CVE-2026-31602

Immediate Actions Required

• Apply the upstream Linux kernel patches that revert CT_PTP_NUM to 1 in the snd_ctxfi driver
• Unload the snd_ctxfi module on hosts that do not require Creative CT20K2 audio support using modprobe -r snd_ctxfi
• Restrict membership of the audio group and limit local shell access to trusted users on affected systems

Patch Information

The fix is committed across multiple stable branches. See the upstream commits: Kernel commit 365c36e1, Kernel commit 3fd0685d, Kernel commit 45289400, Kernel commit ad9011a7, Kernel commit b7f5ecd1, and Kernel commit e9418da5. Rebuild and reboot into a patched kernel from your distribution as soon as it becomes available.

Workarounds

• Blacklist the snd_ctxfi driver via /etc/modprobe.d/blacklist-ctxfi.conf on systems without Creative CT20K2 hardware
• Remove untrusted users from the audio group to prevent local access to vulnerable PCM device nodes
• Avoid configurations that open large numbers of simultaneous playback streams on unpatched kernels

# Configuration example
# Blacklist the vulnerable ALSA ctxfi driver until the kernel is patched
echo "blacklist snd_ctxfi" | sudo tee /etc/modprobe.d/blacklist-ctxfi.conf
sudo modprobe -r snd_ctxfi

# Verify the module is no longer loaded
lsmod | grep snd_ctxfi

# Monitor kernel log for related Oops entries
sudo dmesg -T | grep -E "ct_vm_map|snd_ctxfi"