CVE-2026-23089
Use-After-Free in Linux ALSA USB Audio Mixer Causes Potential Crash
Publication date: 2026-02-04
Last updated on: 2026-03-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.199 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.162 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.122 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.68 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.8 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 2.6.13 (inc) to 5.10.249 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
This vulnerability in the Linux kernel ALSA usb-audio subsystem is caused by a use-after-free error in snd_usb_mixer_free() when snd_usb_create_mixer() fails.
To mitigate this vulnerability, update your Linux kernel to a version where this issue is fixed. The fix involves calling snd_ctl_remove() for all mixer controls before freeing id_elems to prevent use-after-free reads.
Can you explain this vulnerability to me?
This vulnerability is a use-after-free issue in the Linux kernel's ALSA usb-audio component. Specifically, when the function snd_usb_create_mixer() fails, the function snd_usb_mixer_free() frees memory associated with mixer->id_elems. However, the controls that were already added to the sound card still reference this freed memory. Later, when snd_card_register() is called, the OSS mixer layer invokes callbacks that access this freed memory, leading to a use-after-free read.
The problem occurs because snd_usb_mixer_free() does not remove the mixer controls before freeing the memory, causing dangling pointers. The fix involves calling snd_ctl_remove() for all mixer controls before freeing id_elems to ensure no references remain to freed memory.
How can this vulnerability impact me? :
This use-after-free vulnerability can lead to undefined behavior such as system crashes, memory corruption, or potentially allow an attacker to execute arbitrary code within the kernel context. Since it involves kernel memory management and audio device controls, exploitation could compromise system stability or security, especially on systems using the affected ALSA usb-audio drivers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know