CVE-2026-31701
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: caiaq: take a reference on the USB device in create_card()
The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device.
On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after.
Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 4dd821dcbfcecf7af6a08370b0b217cde2818acf < 493b3a682ededc804555755f5d2193201339612d | affected |
| Linux | Linux | cadf1d8e9ddcd74584ec961aeac14ac549b261d8 < dbcf7588e8dea017ddb3f18ec2766f7d2e5f2a0e | affected |
| Linux | Linux | 237f3faf0177bdde728fa3106d730d806436aa4d < ac7345f68cda6989016d85d63f7b244c064aa8f6 | affected |
| Linux | Linux | 4507a8b9b30344c5ddd8219945f446d47e966a6d < f6634af5de728a46792f674a66d7843570cb68f7 | affected |
| Linux | Linux | a3f9314752dbb6f6aa1f0f2b4c58243bda800738 < 1d9be95aee6c6246a21752e60c9519902649f482 | affected |
| Linux | Linux | b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c < 6473ed16df1fe88051140611b3eb9a49be7f429e | affected |
| Linux | Linux | b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c < 59b622a043cffc58b7638cd85ae6c30a0904f8e6 | affected |
| Linux | Linux | b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c < 80bb50e2d459213cccff3111d5ef98ed4238c0d5 | affected |
| Linux | Linux | 3993edf44d3df7b6e8c753eac6ac8783473fcbab | affected |
| Linux | Linux | ebad462eec93b0f701dfe4de98990e7355283801 | affected |
| Linux | Linux | dd0de8cb708951cebf727aa045e8242ba651bb52 | affected |
| Linux | Linux | 5.10.231 < 5.10.258 | affected |
| Linux | Linux | 5.15.174 < 5.15.209 | affected |
| Linux | Linux | 6.1.120 < 6.1.175 | affected |
| Linux | Linux | 6.6.64 < 6.6.136 | affected |
| Linux | Linux | 6.12.2 < 6.12.84 | affected |
| Linux | Linux | 4.19.325 < 4.20 | affected |
| Linux | Linux | 5.4.287 < 5.5 | affected |
| Linux | Linux | 6.11.11 < 6.12 | affected |
| Linux | Linux | 6.13 | affected |
| Linux | Linux | 0 < 6.13 | unaffected |
| Linux | Linux | 5.10.258 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.136 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.84 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.25 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.2 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/493b3a682ededc804555755f5d2193201339612d
- https://git.kernel.org/stable/c/dbcf7588e8dea017ddb3f18ec2766f7d2e5f2a0e
- https://git.kernel.org/stable/c/ac7345f68cda6989016d85d63f7b244c064aa8f6
- https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7
- https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482
- https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e
- https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6
- https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.