CVE-2026-31581

EPSS 0.01%
Veröffentlicht 24.04.2026 14:42:11
Zuletzt bearbeitet 27.04.2026 20:28:08
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

ALSA: 6fire: fix use-after-free on disconnect

In the Linux kernel, the following vulnerability has been resolved:

ALSA: 6fire: fix use-after-free on disconnect

In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)).  When
snd_card_free_when_closed() is called and no file handles are open, the
card and embedded chip are freed synchronously.  The subsequent
chip->card = NULL write then hits freed slab memory.

Call trace:
  usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
  usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
  usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
  ...
  hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953

Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
usb6fire_chip_disconnect().  The card pointer is saved in a local
before any teardown, snd_card_disconnect() is called first to prevent
new opens, URBs are aborted while chip is still valid, and
snd_card_free_when_closed() is called last so chip is never accessed
after the card may be freed.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 5 VulnDex Vulnerability Enrichment 13

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version < 6.6.136

Linux ≫ Linux Kernel Version >= 6.12 < 6.12.83

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.24

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.14

Linux ≫ Linux Kernel Version >= 7.0 < 7.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.02

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0

Patch

https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c

Patch

https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65

Patch

https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185

Patch

https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386

Patch

https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e

Patch