ALSA: caiaq: fix usb_dev refcount leak on probe failure

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46048
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-27 14:17:24 UTC
Updated2026-06-16 15:03:20 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usb_dev refcount leak on probe failure create_card() takes a reference on the USB device with usb_get_dev() and stores the matching usb_put_dev() in card_free(), which is installed as the snd_card's ->private_free destructor. However, ->private_free is only assigned near the end of init_card(), after several failure points (usb_set_interface(), EP type checks, usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its timeout). When any of those fail, init_card() returns an error to snd_probe(), which calls snd_card_free(card). Because ->private_free is still NULL, card_free() never runs, the usb_get_dev() reference is not dropped, and the struct usb_device leaks along with its descriptor allocations and device_private. syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call fails with -EIO and triggers the leak. Move the ->private_free assignment into create_card(), immediately after usb_get_dev(), so that every error path reaching snd_card_free() balances the reference. card_free()'s callees (snd_usb_caiaq_input_free, free_urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd_card_new().

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000320000 probability, percentile 0.097350000 (date 2026-06-04)

Problem Types: NVD-CWE-Other

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 493b3a682ededc804555755f5d2193201339612d c874db8a1d2f9f08161470d00cfe8db2f5cca2cc git Not specified
CNA Linux Linux affected dbcf7588e8dea017ddb3f18ec2766f7d2e5f2a0e 6fa8dff64fb6c401ced40a05797b327659317498 git Not specified
CNA Linux Linux affected ac7345f68cda6989016d85d63f7b244c064aa8f6 a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a git Not specified
CNA Linux Linux affected f6634af5de728a46792f674a66d7843570cb68f7 50c6a1f05973f56d23280c9d7645a7a5734e0907 git Not specified
CNA Linux Linux affected 1d9be95aee6c6246a21752e60c9519902649f482 da3b8fd6a202d94fef11a443abc9171c52426a1c git Not specified
CNA Linux Linux affected 6473ed16df1fe88051140611b3eb9a49be7f429e 6153878c5255bb69b7d0868105ca078ef13cbcf8 git Not specified
CNA Linux Linux affected 59b622a043cffc58b7638cd85ae6c30a0904f8e6 21ca595aafa40d3ac70eab1f4cb62cc00ca21657 git Not specified
CNA Linux Linux affected 80bb50e2d459213cccff3111d5ef98ed4238c0d5 7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b git Not specified
CNA Linux Linux affected 6.6.136 6.6.140 semver Not specified
CNA Linux Linux affected 6.12.84 6.12.86 semver Not specified
CNA Linux Linux affected 6.18.25 6.18.27 semver Not specified
CNA Linux Linux affected 7.0.2 7.0.4 semver Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/c874db8a1d2f9f08161470d00cfe8db2f5cca2cc 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/6fa8dff64fb6c401ced40a05797b327659317498 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report