Skip to main content

Linux Kernel EUVDEUVD-2026-26510

| CVE-2026-31701 MEDIUM
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 06, 2026 - 21:31 vuln.today
CVSS changed
May 06, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch released
May 01, 2026 - 15:24 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26510
CVE Published
May 01, 2026 - 14:16 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: take a reference on the USB device in create_card()

The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device.

On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after.

Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call.

AnalysisAI

Use-after-free vulnerability in the ALSA caiaq USB audio driver allows local authenticated attackers to cause denial of service by triggering asynchronous card free callbacks after USB device disconnection. The vulnerability stems from missing reference counting on the parent USB device pointer, combined with an inappropriate usb_reset_device() call in the card teardown path. EPSS exploitation probability is minimal (0.02%), and no public exploit code or active exploitation has been identified.

Technical ContextAI

The caiaq driver is part of the Linux kernel's ALSA (Advanced Linux Sound Architecture) subsystem and provides sound support for Native Instruments audio interfaces connected via USB. The vulnerability exists in the create_card() and snd_usb_caiaq_card_free() functions. The driver stores a pointer to the USB device structure (usb_device) in cdev->chip.dev but never increments the device's reference count via usb_get_dev(). When the USB device is physically disconnected, the kernel frees the usb_device structure. If the ALSA card's private_free callback runs asynchronously afterward (via snd_card_free_when_closed()), it dereferences the freed memory. Additionally, the teardown path calls usb_reset_device(), which acquires the device lock and races with the disconnect path-inappropriate behavior in a destructor context. The fix involves proper reference counting: usb_get_dev() in create_card(), usb_put_dev() in the free callback, and removal of the reset call.

RemediationAI

Update the Linux kernel to a patched version: 6.12.84, 6.6.136, 7.0.2, or later, depending on your stable branch. For development branches (6.13, 7.1-rc1 and later), apply the upstream fix commit 1d9be95aee6c6246a21752e60c9519902649f482 or backport equivalent patches from kernel.org stable trees (referenced at https://git.kernel.org/stable/). If immediate patching is not feasible, disconnect any Native Instruments USB audio devices and avoid using the caiaq driver until the kernel is updated. The actual mitigation in the kernel code involves three changes: calling usb_get_dev() in create_card() to increment the USB device reference count, calling usb_put_dev() in snd_usb_caiaq_card_free() to decrement it, and removing the usb_reset_device() call from the free path. No user-space workarounds are available; kernel update is mandatory.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy