7.8

CVE-2026-31581

ALSA: 6fire: fix use-after-free on disconnect

In the Linux kernel, the following vulnerability has been resolved:

ALSA: 6fire: fix use-after-free on disconnect

In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)).  When
snd_card_free_when_closed() is called and no file handles are open, the
card and embedded chip are freed synchronously.  The subsequent
chip->card = NULL write then hits freed slab memory.

Call trace:
  usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
  usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
  usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
  ...
  hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953

Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
usb6fire_chip_disconnect().  The card pointer is saved in a local
before any teardown, snd_card_disconnect() is called first to prevent
new opens, URBs are aborted while chip is still valid, and
snd_card_free_when_closed() is called last so chip is never accessed
after the card may be freed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version < 6.6.136
LinuxLinux Kernel Version >= 6.12 < 6.12.83
LinuxLinux Kernel Version >= 6.13 < 6.18.24
LinuxLinux Kernel Version >= 6.19 < 6.19.14
LinuxLinux Kernel Version >= 7.0 < 7.0.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.027
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0
Patch
https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c
Patch
https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65
Patch
https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185
Patch
https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386
Patch
https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e
Patch
https://git.kernel.org/stable/c/ba88461f7653636c48321ca993006a74724c2f41
https://git.kernel.org/stable/c/e247a0e01d15ed420f77ec5e2335721bf430a5b3
https://git.kernel.org/stable/c/e719232f4552e29de8027a83918ea94434be87af