Skip to main content

Linux Kernel EUVDEUVD-2026-32301

| CVE-2026-46004 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-gmmg-288v-pj32
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.5 MEDIUM

Local trigger via USB driver probe error path (AV:L, PR:L); reliably winning the UAF needs heap grooming and induced probe failure (AC:H); kernel memory corruption yields high integrity/availability impact with limited confidentiality leak.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
6.6 MEDIUM
AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:39 vuln.today
CVSS changed
Jun 16, 2026 - 15:37 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: Handle probe errors properly

The probe procedure of setup_card() in caiaq driver doesn't treat the error cases gracefully, e.g. the error from snd_card_register() calls snd_card_free() but continues. This would lead to a UAF for the further calls like snd_usb_caiaq_control_init(), as Berk suggested in another patch in the link below.

However, the problem is not only that; in general, this function drops the all error handlings (as it's a void function) although its caller can propagate an error to snd_probe(), which eventually calls snd_card_free() as a proper error path. That said, we should treat each error case in setup_card(), and just return the error code promptly, which is then handled later as a fatal error in snd_probe().

This patch achieves it by changing the setup_card() to return an error code. Also, the superfluous snd_card_free() call is removed, too.

Note that card->private_free can be set still safely at returning an error. All called functions in card_free() have checks of the unassigned resources or NULL checks.

AnalysisAI

Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.

Technical ContextAI

The vulnerability lives in sound/usb/caiaq/audio.c, the ALSA driver for Native Instruments Caiaq-series USB audio/MIDI controllers (e.g., Kore, Maschine, Audio Kontrol). The root cause is CWE-416 (Use After Free): setup_card() is declared void and discards error returns, so a failed snd_card_register() invokes snd_card_free() - releasing card memory - yet execution falls through to further initializers that dereference the now-freed card pointer. The fix changes setup_card() to return an int, propagates the error up to snd_probe(), and removes the redundant snd_card_free() so the standard probe error path performs cleanup exactly once. Affected CPEs span the Linux kernel line from commit 8e3cd08ed8e5 (introduced in 2.6.25) through the trees fixed in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later) depending on the stable series in use; distribution kernels should be updated as soon as the corresponding backport lands (see git.kernel.org/stable/c/096dd8519cf2 and the other commits listed in the NVD references). If immediate patching is not feasible, the most effective compensating control is to unload or blacklist the snd-usb-caiaq module (e.g., add 'blacklist snd_usb_caiaq' to /etc/modprobe.d/) - the trade-off is loss of support for Native Instruments Caiaq-series USB audio hardware. On multi-user systems where attaching USB devices is unrestricted, also consider USBGuard policies that deny unknown USB audio devices, accepting the operational overhead of authorizing legitimate hardware.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.158 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.144 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.173 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.144 Affected
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Micro 6.0 Fixed

Share

EUVD-2026-32301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy