CVE-2026-46184 Overview
CVE-2026-46184 is a division-by-zero vulnerability in the Linux kernel's ua101 USB audio driver. The flaw resides in the detect_usb_format() function, which fails to validate the class-specific bNrChannels descriptor field received from a USB device. When a malicious or malformed USB device reports bNrChannels = 0, the calculated frame_bytes value becomes zero. This zero value is subsequently used as a divisor in playback_urb_complete() and capture_urb_complete(), triggering a kernel crash.
Critical Impact
A crafted USB audio device can trigger a kernel-level division by zero, causing a denial-of-service condition on the host system.
Affected Products
- Linux kernel — sound/usb/misc/ua101.c (UA101 USB audio driver)
- Multiple stable kernel branches receiving the backported fix
- Systems with the snd-usb-ua101 module loaded or available for hotplug
Discovery Timeline
- 2026-05-28 - CVE-2026-46184 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46184
Vulnerability Analysis
The Linux ua101 driver supports the Edirol UA-101 and UA-1000 USB audio interfaces. During device probe, detect_usb_format() parses class-specific audio streaming descriptors supplied by the connected USB device. The driver computes frame_bytes based on bNrChannels and sample size, then stores the value for use in URB (USB Request Block) completion paths.
The USB core layer does not validate class-specific descriptor fields. Drivers must therefore sanity-check every value before relying on it. The ua101 driver omitted this validation for bNrChannels, allowing a value of zero to propagate into arithmetic operations in the audio streaming hot path.
When frame_bytes is zero, both playback_urb_complete() and capture_urb_complete() perform a divide operation using the field as a divisor. The resulting divide-by-zero exception triggers a kernel oops, terminating the audio subsystem and potentially destabilizing the host.
Root Cause
The root cause is missing input validation on attacker-controlled descriptor data [CWE-369: Divide By Zero]. The driver trusted that bNrChannels would be a non-zero value because legitimate audio devices always report at least one channel. A malicious or malfunctioning device can supply zero, bypassing implicit assumptions in the code path.
Attack Vector
Exploitation requires physical or logical attachment of a crafted USB device. An attacker plugs a programmable USB device (for example, a Facedancer or BadUSB-class tool) that advertises itself as a UA101-compatible audio device with bNrChannels = 0. When the kernel binds the ua101 driver and audio streaming begins, the URB completion handler divides by zero and the kernel crashes. The result is a local denial of service against unattended workstations, kiosks, and servers exposing USB ports.
No verified public exploit code is available. The vulnerability is described in prose because no sanitized proof-of-concept has been published. The upstream fix adds an explicit check rejecting bNrChannels == 0 in detect_usb_format() before any arithmetic uses the value.
Detection Methods for CVE-2026-46184
Indicators of Compromise
- Kernel oops or panic messages referencing playback_urb_complete or capture_urb_complete in dmesg and /var/log/kern.log
- Divide error (#DE) exceptions logged immediately after USB device enumeration events involving the snd-usb-ua101 module
- Unexpected loading of snd-usb-ua101 on hosts that do not legitimately use Edirol UA-101 hardware
Detection Strategies
- Correlate USB device hotplug events from udev with kernel exception traces to flag suspicious audio class descriptors
- Parse USB descriptor logs (for example, via usbmon or udevadm monitor) for audio streaming interfaces reporting bNrChannels = 0
- Alert on repeated kernel crashes on systems with physical USB exposure, particularly shared workstations and lab equipment
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and create rules for divide_error, Oops, and Kernel panic patterns
- Track loaded kernel module changes with auditd rules on init_module and finit_module syscalls
- Monitor USB device insertion telemetry on endpoints in high-risk physical environments
How to Mitigate CVE-2026-46184
Immediate Actions Required
- Apply the upstream stable kernel update containing the bNrChannels sanity check as soon as your distribution ships it
- On systems that do not require USB audio support, blacklist the snd-usb-ua101 module to remove the attack surface
- Enforce USB device control policies that block unknown audio-class devices on critical endpoints
Patch Information
The fix is committed across multiple stable branches. Refer to the upstream commits for the exact patch contents:
- Kernel commit 0ff2b713f406
- Kernel commit 593dd7e6c890
- Kernel commit 6162e8212e88
- Kernel commit d1f73f169c10
- Kernel commit f1862dbf0908
The patch adds a check rejecting bNrChannels = 0 in detect_usb_format() so frame_bytes can never become zero before reaching the URB completion handlers.
Workarounds
- Blacklist the vulnerable module if UA101 hardware is not required: add blacklist snd-usb-ua101 to /etc/modprobe.d/blacklist.conf
- Restrict USB device authorization using the kernel usbguard framework or by setting authorized_default = 0 on USB controllers
- Physically restrict USB port access on shared and unattended systems through chassis locks or port-blocking hardware
# Prevent the vulnerable driver from loading
echo "blacklist snd-usb-ua101" | sudo tee /etc/modprobe.d/disable-ua101.conf
sudo update-initramfs -u
# Optional: require explicit authorization for new USB devices
for host in /sys/bus/usb/devices/usb*; do
echo 0 | sudo tee "$host/authorized_default"
done
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
