5.5

CVE-2026-46048

ALSA: caiaq: fix usb_dev refcount leak on probe failure

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: fix usb_dev refcount leak on probe failure

create_card() takes a reference on the USB device with usb_get_dev()
and stores the matching usb_put_dev() in card_free(), which is
installed as the snd_card's ->private_free destructor.

However, ->private_free is only assigned near the end of init_card(),
after several failure points (usb_set_interface(), EP type checks,
usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
timeout). When any of those fail, init_card() returns an error to
snd_probe(), which calls snd_card_free(card). Because ->private_free
is still NULL, card_free() never runs, the usb_get_dev() reference
is not dropped, and the struct usb_device leaks along with its
descriptor allocations and device_private.

syzbot reproduces this with a malformed UAC3 device whose only valid
altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
fails with -EIO and triggers the leak.

Move the ->private_free assignment into create_card(), immediately
after usb_get_dev(), so that every error path reaching snd_card_free()
balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
free_urbs, kfree) already tolerate the partially-initialized state
because the chip private area is zero-initialized by snd_card_new().
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 6.6.136 < 6.6.140
LinuxLinux Kernel Version >= 6.12.84 < 6.12.86
LinuxLinux Kernel Version >= 6.18.25 < 6.18.27
LinuxLinux Kernel Version >= 7.0.2 < 7.0.4
LinuxLinux Kernel Version7.1 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907
Patch
https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c
Patch
https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8
Patch
https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657
Patch
https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b
Patch
https://git.kernel.org/stable/c/6fa8dff64fb6c401ced40a05797b327659317498
Patch
https://git.kernel.org/stable/c/a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a
Patch
https://git.kernel.org/stable/c/c874db8a1d2f9f08161470d00cfe8db2f5cca2cc
Patch