CVE-2026-46048

MEDIUM

ALSA: caiaq: fix usb_dev refcount leak on probe failure

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usb_dev refcount leak on probe failure create_card() takes a reference on the USB device with usb_get_dev() and stores the matching usb_put_dev() in card_free(), which is installed as the snd_card's ->private_free destructor. However, ->private_free is only assigned near the end of init_card(), after several failure points (usb_set_interface(), EP type checks, usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its timeout). When any of those fail, init_card() returns an error to snd_probe(), which calls snd_card_free(card). Because ->private_free is still NULL, card_free() never runs, the usb_get_dev() reference is not dropped, and the struct usb_device leaks along with its descriptor allocations and device_private. syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call fails with -EIO and triggers the leak. Move the ->private_free assignment into create_card(), immediately after usb_get_dev(), so that every error path reaching snd_card_free() balances the reference. card_free()'s callees (snd_usb_caiaq_input_free, free_urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd_card_new().

Scores

CVSS v3 5.5
EPSS 0.0012
EPSS Percentile 2.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (25)
linux/Kernel 6.12.84 - 6.12.86linux
linux/Kernel 6.18.25 - 6.18.27linux
linux/Kernel 6.6.136 - 6.6.140linux
linux/Kernel 7.0.2 - 7.0.4linux
Linux/Linux < 7.1-rc1
Linux/Linux 1d9be95aee6c6246a21752e60c9519902649f482 - da3b8fd6a202d94fef11a443abc9171c52426a1c
Linux/Linux 493b3a682ededc804555755f5d2193201339612d - c874db8a1d2f9f08161470d00cfe8db2f5cca2cc
Linux/Linux 59b622a043cffc58b7638cd85ae6c30a0904f8e6 - 21ca595aafa40d3ac70eab1f4cb62cc00ca21657
Linux/Linux 6.12.84 - 6.12.86
Linux/Linux 6.12.86 - 6.12.*
... and 15 more
Published May 27, 2026
Tracked Since May 27, 2026