7.8
CVE-2026-31581
- EPSS 0.13%
- Veröffentlicht 24.04.2026 14:42:11
- Zuletzt bearbeitet 01.06.2026 17:16:48
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ALSA: 6fire: fix use-after-free on disconnect
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version < 6.6.136
Linux ≫ Linux Kernel Version >= 6.12 < 6.12.83
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.24
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.14
Linux ≫ Linux Kernel Version >= 7.0 < 7.0.1
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.027 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0
https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c
https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65
https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185
https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386
https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e
https://git.kernel.org/stable/c/ba88461f7653636c48321ca993006a74724c2f41
https://git.kernel.org/stable/c/e247a0e01d15ed420f77ec5e2335721bf430a5b3
https://git.kernel.org/stable/c/e719232f4552e29de8027a83918ea94434be87af