Skip to main content

Linux Kernel CVE-2026-31701

| EUVD-2026-26510 MEDIUM
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Information Disclosure Linux Red Hat Suse
5.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 06, 2026 - 21:31 vuln.today
CVSS changed
May 06, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch released
May 01, 2026 - 15:24 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26510
CVE Published
May 01, 2026 - 14:16 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:16 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: take a reference on the USB device in create_card()

The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device.

On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after.

Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call.

AnalysisAI

Use-after-free vulnerability in the ALSA caiaq USB audio driver allows local authenticated attackers to cause denial of service by triggering asynchronous card free callbacks after USB device disconnection. The vulnerability stems from missing reference counting on the parent USB device pointer, combined with an inappropriate usb_reset_device() call in the card teardown path. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-46135 CRITICAL
9.8 May 28

Race condition in the Linux kernel's NVMe/TCP target (nvmet-tcp) subsystem allows a remote NVMe/TCP host to trigger a do
CVE-2026-45898 CRITICAL
9.8 May 27

Kernel memory corruption in the Linux iWARP Connection Manager (RDMA/iwcm) subsystem can crash systems running RDMA work
CVE-2026-45988 CRITICAL
9.8 May 27

Improper handling of failed RESPONSE packet decryption in the Linux kernel's rxrpc subsystem can leave packets in a part
CVE-2026-46115 CRITICAL
9.8 May 28

Incorrect bvec coalescing in the Linux kernel's block layer (biovec_phys_mergeable) can merge physically contiguous bio_
CVE-2026-46137 CRITICAL
9.8 May 28

Race condition in the Linux kernel's MPTCP (Multipath TCP) path manager subsystem affects the mptcp_pm_add_timer() ADD_A

Vendor StatusVendor

Share

CVE-2026-31701 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy