CVE-2026-25068

NameCVE-2026-25068
Descriptionalsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4469-1
Debian Bugs1126629

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
alsa-lib (PTS)bullseye1.2.4-1.1vulnerable
bullseye (security)1.2.4-1.1+deb11u1fixed
bookworm1.2.8-1vulnerable
trixie1.2.14-1vulnerable
forky, sid1.2.15.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
alsa-libsourcebullseye1.2.4-1.1+deb11u1DLA-4469-1
alsa-libsource(unstable)(unfixed)1126629

Notes

[trixie] - alsa-lib <no-dsa> (Minor issue)
[bookworm] - alsa-lib <no-dsa> (Minor issue)
Introduced by: https://github.com/alsa-project/alsa-lib/commit/b6c9afb4f59bb678dc834028680d579f47dc273b (v1.2.2)
Fixed by: https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40
Search for package or bug name: Reporting problems