CVE-2026-43436 Overview
CVE-2026-43436 is a NULL pointer dereference vulnerability in the Linux kernel's ALSA USB-audio driver. The flaw resides in the Scarlett2 mixer quirk handler, specifically in the scarlett2_find_fc_interface() function. The function assumes that a parsed USB interface contains at least one endpoint without validating the bNumEndpoints field. A malformed USB descriptor passed by an attacker-controlled or fuzzed device triggers a NULL dereference inside the kernel. The issue was identified through fuzzer testing and resolved upstream by adding a sanity check on endpoint count before access.
Critical Impact
A malformed USB descriptor from a malicious or fuzzed USB device causes a kernel NULL pointer dereference, leading to a denial-of-service condition on affected Linux systems.
Affected Products
- Linux kernel ALSA USB-audio driver (snd-usb-audio)
- Scarlett2 mixer quirk code path (scarlett2_find_fc_interface)
- Linux stable branches receiving the referenced commit backports
Discovery Timeline
- 2026-05-08 - CVE-2026-43436 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43436
Vulnerability Analysis
The vulnerability is a NULL pointer dereference in the ALSA USB-audio driver's Scarlett2 mixer quirk. When the kernel parses a USB device that matches the Scarlett2 quirk identifiers, it invokes scarlett2_find_fc_interface() to locate the relevant interface. The function dereferences endpoint structures without first verifying that the parsed interface actually contains endpoints. A USB descriptor reporting an interface with bNumEndpoints set to zero causes the code path to access a NULL or invalid endpoint pointer. The result is a kernel oops and system crash.
Root Cause
The root cause is missing input validation on the bNumEndpoints field of a USB interface descriptor. The Scarlett2 quirk handler assumed the descriptor was well-formed and proceeded to read endpoint data unconditionally. Untrusted USB descriptors can carry arbitrary values, including zero endpoints. The upstream fix adds a sanity check on bNumEndpoints and skips interfaces that do not satisfy the expected layout, preventing the dereference.
Attack Vector
Exploitation requires the ability to present a crafted USB descriptor to the kernel. This typically requires physical access to attach a malicious USB device, or use of a programmable USB peripheral such as a Facedancer or Raspberry Pi running USB gadget mode. Virtualized environments that expose USB passthrough to untrusted guests are also in scope. The vulnerability does not require authentication on the host because USB devices are parsed by the kernel as soon as they are attached. Successful triggering produces a NULL dereference oops, denying service to the affected system.
No public exploit code is available. The fix is distributed across multiple stable kernel commits referenced in the kernel.org git tree, including commit b267255c and commit df1d8abf.
Detection Methods for CVE-2026-43436
Indicators of Compromise
- Kernel oops or panic logs referencing scarlett2_find_fc_interface or snd-usb-audio in dmesg or /var/log/kern.log
- Unexpected system crashes shortly after a USB device is attached
- USB device enumeration entries for Focusrite Scarlett2 vendor or product IDs originating from unknown peripherals
Detection Strategies
- Monitor kernel ring buffer output for NULL pointer dereference traces involving ALSA USB-audio symbols
- Audit USB device connection events through udev logs and correlate them with subsequent kernel faults
- Track kernel package versions across the fleet to identify hosts running unpatched stable branches
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a centralized logging or SIEM pipeline for kernel fault detection
- Enable USB device authorization policies and alert on attachment of unrecognized vendor or product IDs
- Apply file integrity monitoring on /lib/modules/ to detect tampering with the snd-usb-audio module
How to Mitigate CVE-2026-43436
Immediate Actions Required
- Update affected Linux systems to a kernel build that includes the upstream Scarlett2 endpoint sanity check
- Restrict physical and virtual access to USB ports on servers and high-value workstations
- Disable automatic loading of the snd-usb-audio module on systems that do not require USB audio support
Patch Information
The vulnerability is fixed by adding a check on bNumEndpoints inside the Scarlett2 mixer interface parser. The patch skips interfaces lacking the expected endpoints rather than dereferencing absent endpoint structures. The fix has been merged across multiple stable branches. Reference commits include 3d4f2388, 3d542cf3, b014cc94, b267255c, c5c5a6c5, and df1d8abf.
Workarounds
- Blacklist the snd-usb-audio module on systems that do not require USB audio functionality
- Enforce USB device authorization using udev rules to allow only known vendor and product IDs
- Apply USBGuard policies to block untrusted USB devices from being enumerated by the kernel
# Blacklist the snd-usb-audio module
echo "blacklist snd-usb-audio" | sudo tee /etc/modprobe.d/blacklist-snd-usb-audio.conf
sudo update-initramfs -u
# Example USBGuard policy: allow only an explicit device
sudo usbguard generate-policy > /etc/usbguard/rules.conf
sudo systemctl enable --now usbguard
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
