CVE-2026-31581

Summary

In the Linux kernel, the following vulnerability has been resolved:

ALSA: 6fire: fix use-after-free on disconnect

In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory.

Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 … hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953

Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf2d06d4e129e2508e356136f99bb20a332ff1a00 < e719232f4552e29de8027a83918ea94434be87afaffected
LinuxLinuxb889a7d68d7e76b8795b754a75c91a2d561d5e8c < e247a0e01d15ed420f77ec5e2335721bf430a5b3affected
LinuxLinuxea8cc56db659cf0ae57073e32a4735ead7bd7ee3 < ba88461f7653636c48321ca993006a74724c2f41affected
LinuxLinuxb754e831a94f82f2593af806741392903f359168 < e88354b381e2006de63d6b052ed7005c9a47d00eaffected
LinuxLinux57860a80f03f9dc69a34a5c37b0941ad032a0a8c < af75b486f7e883e3422ece23c8d727e6815144a0affected
LinuxLinuxa0810c3d6dd2d29a9b92604d682eacd2902ce947 < d21e8a2af4869b5890b34e081d5aeadc93e9cd5caffected
LinuxLinuxa0810c3d6dd2d29a9b92604d682eacd2902ce947 < 3dc20d1981d6a67d8184498a5da272942dde1e65affected
LinuxLinuxa0810c3d6dd2d29a9b92604d682eacd2902ce947 < 51f6532790b74ffdd6970bc848358a2838c1c185affected
LinuxLinuxa0810c3d6dd2d29a9b92604d682eacd2902ce947 < b9c826916fdce6419b94eb0cd8810fdac18c2386affected
LinuxLinux74357d0b5cd3ef544752bc9f21cbeee4902fae6caffected
LinuxLinux273eec23467dfbfbd0e4c10302579ba441fb1e13affected
LinuxLinux0df7f4b5cc10f5adf98be0845372e9eef7bb5b09affected
LinuxLinux5.10.231 < 5.10.258affected
LinuxLinux5.15.174 < 5.15.209affected
LinuxLinux6.1.120 < 6.1.175affected
LinuxLinux6.6.64 < 6.6.136affected
LinuxLinux6.12.2 < 6.12.83affected
LinuxLinux4.19.325 < 4.20affected
LinuxLinux5.4.287 < 5.5affected
LinuxLinux6.11.11 < 6.12affected
LinuxLinux6.13affected
LinuxLinux0 < 6.13unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0.1 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References