CVE-2026-23089
Unknown Unknown - Not Provided
Use-After-Free in Linux ALSA USB Audio Mixer Causes Potential Crash

Publication date: 2026-02-04

Last updated on: 2026-03-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23089
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.11 (inc) to 5.15.199 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.162 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.122 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.68 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.8 (exc)
linux linux_kernel 6.19
linux linux_kernel From 2.6.13 (inc) to 5.10.249 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

This vulnerability in the Linux kernel ALSA usb-audio subsystem is caused by a use-after-free error in snd_usb_mixer_free() when snd_usb_create_mixer() fails.

To mitigate this vulnerability, update your Linux kernel to a version where this issue is fixed. The fix involves calling snd_ctl_remove() for all mixer controls before freeing id_elems to prevent use-after-free reads.

Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's ALSA usb-audio component. Specifically, when the function snd_usb_create_mixer() fails, the function snd_usb_mixer_free() frees memory associated with mixer->id_elems. However, the controls that were already added to the sound card still reference this freed memory. Later, when snd_card_register() is called, the OSS mixer layer invokes callbacks that access this freed memory, leading to a use-after-free read.

The problem occurs because snd_usb_mixer_free() does not remove the mixer controls before freeing the memory, causing dangling pointers. The fix involves calling snd_ctl_remove() for all mixer controls before freeing id_elems to ensure no references remain to freed memory.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior such as system crashes, memory corruption, or potentially allow an attacker to execute arbitrary code within the kernel context. Since it involves kernel memory management and audio device controls, exploitation could compromise system stability or security, especially on systems using the affected ALSA usb-audio drivers.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart