CVE-2026-31701

MEDIUM

ALSA: caiaq: take a reference on the USB device in create_card()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device. On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after. Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call.

Scores

CVSS v3 5.5
EPSS 0.0012
EPSS Percentile 1.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (45)
linux/Kernel < 5.10.258linux
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 7.0.2linux
linux/Kernel 6.2.0 - 6.6.136linux
linux/Kernel 6.7.0 - 6.12.84linux
Linux/Linux < 6.13
Linux/Linux 237f3faf0177bdde728fa3106d730d806436aa4d
Linux/Linux 237f3faf0177bdde728fa3106d730d806436aa4d - ac7345f68cda6989016d85d63f7b244c064aa8f6
Linux/Linux 3993edf44d3df7b6e8c753eac6ac8783473fcbab
... and 35 more
Published May 01, 2026
Tracked Since May 01, 2026