Skip to main content

Linux Kernel CVE-2026-46048

| EUVDEUVD-2026-32430 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r5hg-4g6p-vqwc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local physical/emulated USB access required (AV:L), standard user sufficient (PR:L), impact is pure kernel resource exhaustion with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:10 vuln.today
CVSS changed
Jun 16, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: fix usb_dev refcount leak on probe failure

create_card() takes a reference on the USB device with usb_get_dev() and stores the matching usb_put_dev() in card_free(), which is installed as the snd_card's ->private_free destructor.

However, ->private_free is only assigned near the end of init_card(), after several failure points (usb_set_interface(), EP type checks, usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its timeout). When any of those fail, init_card() returns an error to snd_probe(), which calls snd_card_free(card). Because ->private_free is still NULL, card_free() never runs, the usb_get_dev() reference is not dropped, and the struct usb_device leaks along with its descriptor allocations and device_private.

syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call fails with -EIO and triggers the leak.

Move the ->private_free assignment into create_card(), immediately after usb_get_dev(), so that every error path reaching snd_card_free() balances the reference. card_free()'s callees (snd_usb_caiaq_input_free, free_urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd_card_new().

AnalysisAI

USB device reference count leak in the Linux kernel ALSA CAIAQ driver allows a local attacker with access to USB hardware to trigger kernel memory exhaustion. The flaw exists because usb_get_dev() is called in create_card() but its matching usb_put_dev() is only installed as a destructor late in init_card(), leaving it unreachable on all intermediate failure paths. Syzbot has reproduced the issue using a malformed UAC3 USB audio device, and patches are available across all affected stable kernel branches. No public exploit has been identified at time of analysis, and EPSS is negligible at 0.02%.

Technical ContextAI

The vulnerability resides in the ALSA CAIAQ USB audio driver (sound/usb/caiaq/) within the Linux kernel, affecting cpe:2.3:o:linux:linux_kernel across multiple stable series (6.6.x, 6.12.x, 6.18.x, 7.0.x) through to 7.1-rc1. The root cause is a classic reference-counting lifecycle mismatch: usb_get_dev() acquires a reference on the struct usb_device in create_card(), but the release function usb_put_dev() is only registered as the snd_card's private_free destructor at a late point in init_card(). Any failure before that assignment - including usb_set_interface(), endpoint type checks, usb_submit_urb(), or the EP1_CMD_GET_DEVICE_INFO handshake - causes snd_card_free() to be called with a NULL private_free, so card_free() never executes and the USB device reference is permanently orphaned. The struct usb_device, its descriptor allocations, and device_private all leak. Although CWE is not formally assigned, this maps to CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-772 (Missing Release of Resource before Destroying Handle). The fix is architectural: moving the private_free assignment immediately after usb_get_dev() in create_card() guarantees every error path through snd_card_free() correctly drops the reference.

RemediationAI

Upgrade to a patched Linux kernel version: 6.6.140 or later for the 6.6 LTS series; 6.12.86 or later for the 6.12 series; 6.18.27 or later for the 6.18 series; 7.0.4 or later for the 7.0 series; or 7.1-rc2 or later for the 7.1 release candidate series. Patches are available as commits to the stable tree at https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657, https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907, https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c, and related commits. If immediate kernel upgrade is not feasible, the compensating control is to block loading of the snd-usb-caiaq kernel module via a modprobe blacklist entry ('blacklist snd-usb-caiaq' in /etc/modprobe.d/), which prevents the driver from binding to any attached CAIAQ USB audio hardware. This trade-off is that legitimate Native Instruments CAIAQ devices will lose audio functionality. Additionally, enforcing USB device authorization (kernel USB authorization framework or USBGuard policy) to block unauthorized USB audio devices reduces the attack surface without disabling the module entirely, though this requires a managed device policy to be effective.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy