CVE-2026-31701
Received Received - Intake
Use-After-Free in Linux Kernel ALSA caiaq Driver

Publication date: 2026-05-01

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device. On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after. Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31701
EUVD
EUVD-2026-26510
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.13
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ALSA caiaq driver. The driver stores a pointer to the parent USB device without taking a proper reference on it. As a result, when the card's private_free callback runs asynchronously after the USB device has been disconnected and freed, it may dereference a freed USB device pointer, leading to use-after-free issues.

Additionally, the current implementation calls usb_reset_device() during the free callback, which is inappropriate because the device is being removed. This reset call can cause race conditions with the device disconnect process.

The fix involves taking a reference on the USB device when creating the card and releasing it in the free callback, as well as removing the usb_reset_device() call.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free conditions in the kernel, which may cause system instability, crashes, or potential escalation of privileges if exploited. Accessing freed memory can result in unpredictable behavior or security risks on affected systems using the ALSA caiaq driver.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by the caiaq ALSA driver in the Linux kernel not properly taking a reference on the USB device, leading to use-after-free issues.

To mitigate this vulnerability, update the Linux kernel to a version where the caiaq driver has been fixed to take a reference on the USB device in create_card() using usb_get_dev(), and drop it with usb_put_dev() in the free callback.

Additionally, the fix removes the inappropriate call to usb_reset_device() in the free callback, which should also be present in the updated driver code.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart