Primary

Context

alsa-lib Heap-Based Buffer Overflow Vulnerability in Topology Mixer Control Decoder

Vulnerability

A heap-based buffer overflow vulnerability has been identified in alsa-lib versions 1.2.2 through 1.2.15.2, prior to commit 5f7fe33. The issue arises in the topology mixer control decoder, specifically within the tplg_decode_control_mixer1() function. This function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without proper validation against the fixed-size channel array limit. As a result, a crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to heap corruption and a crash.

Impact

Exploitation of this vulnerability causes heap corruption, which can lead to a crash of the application.

Remediation

Users can update to alsa-lib versions later than 1.2.15.2 to address this vulnerability.

Added: Jan 29, 2026, 8:20 PM

Updated: Jan 29, 2026, 8:20 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.0

remediation

0.0

relevance

2.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.0

remediation

0.0

relevance

2.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

alsa-lib Heap-Based Buffer Overflow Vulnerability in Topology Mixer Control Decoder

Vulnerability

Impact

Remediation

Affected Products

alsa-lib

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating