{"api_version":"1","generated_at":"2026-04-25T06:07:41+00:00","cve":"CVE-2026-31587","urls":{"html":"https://cve.report/CVE-2026-31587","api":"https://cve.report/api/cve/CVE-2026-31587.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31587","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31587"},"summary":{"title":"ASoC: qcom: q6apm: move component registration to unmanaged version","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm: move component registration to unmanaged version\n\nq6apm component registers dais dynamically from ASoC toplology, which\nare allocated using device managed version apis. Allocating both\ncomponent and dynamic dais using managed version could lead to incorrect\nfree ordering, dai will be freed while component still holding references\nto it.\n\nFix this issue by moving component to unmanged version so\nthat the dai pointers are only freeded after the component is removed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nRead of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426\nTainted: [W]=WARN\nHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024\nWorkqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\nCall trace:\n show_stack+0x28/0x7c (C)\n dump_stack_lvl+0x60/0x80\n print_report+0x160/0x4b4\n kasan_report+0xac/0xfc\n __asan_report_load8_noabort+0x20/0x34\n snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\n snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]\n devm_component_release+0x30/0x5c [snd_soc_core]\n devres_release_all+0x13c/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nAllocated by task 77:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n kasan_save_alloc_info+0x44/0x58\n __kasan_kmalloc+0xbc/0xdc\n __kmalloc_node_track_caller_noprof+0x1f4/0x620\n devm_kmalloc+0x7c/0x1c8\n snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]\n soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]\n snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]\n audioreach_tplg_init+0x124/0x1fc [snd_q6apm]\n q6apm_audio_probe+0x10/0x1c [snd_q6apm]\n snd_soc_component_probe+0x5c/0x118 [snd_soc_core]\n soc_probe_component+0x44c/0xaf0 [snd_soc_core]\n snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]\n snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]\n devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]\n x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]\n platform_probe+0xc0/0x188\n really_probe+0x188/0x804\n __driver_probe_device+0x158/0x358\n driver_probe_device+0x60/0x190\n __device_attach_driver+0x16c/0x2a8\n bus_for_each_drv+0x100/0x194\n __device_attach+0x174/0x380\n device_initial_probe+0x14/0x20\n bus_probe_device+0x124/0x154\n deferred_probe_work_func+0x140/0x220\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nFreed by task 3426:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n __kasan_save_free_info+0x4c/0x80\n __kasan_slab_free+0x78/0xa0\n kfree+0x100/0x4a4\n devres_release_all+0x144/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-24 15:16:33","updated_at":"2026-04-24 17:51:40"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2","name":"https://git.kernel.org/stable/c/b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f7b790531cdad3b2075ab937aa06d7b802403be4","name":"https://git.kernel.org/stable/c/f7b790531cdad3b2075ab937aa06d7b802403be4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/30383b7780ffa140bc124de5b66cae7c84133dbb","name":"https://git.kernel.org/stable/c/30383b7780ffa140bc124de5b66cae7c84133dbb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a561a55b79a9c55f0443377f2d4dcf6149d057af","name":"https://git.kernel.org/stable/c/a561a55b79a9c55f0443377f2d4dcf6149d057af","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31587","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31587","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 30383b7780ffa140bc124de5b66cae7c84133dbb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 f7b790531cdad3b2075ab937aa06d7b802403be4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 a561a55b79a9c55f0443377f2d4dcf6149d057af git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.83 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.24 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.14 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.1 7.0.* semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["sound/soc/qcom/qdsp6/q6apm.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"30383b7780ffa140bc124de5b66cae7c84133dbb","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"f7b790531cdad3b2075ab937aa06d7b802403be4","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"a561a55b79a9c55f0443377f2d4dcf6149d057af","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["sound/soc/qcom/qdsp6/q6apm.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.83","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.24","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.14","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.1","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.83","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.24","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.1","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm: move component registration to unmanaged version\n\nq6apm component registers dais dynamically from ASoC toplology, which\nare allocated using device managed version apis. Allocating both\ncomponent and dynamic dais using managed version could lead to incorrect\nfree ordering, dai will be freed while component still holding references\nto it.\n\nFix this issue by moving component to unmanged version so\nthat the dai pointers are only freeded after the component is removed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nRead of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426\nTainted: [W]=WARN\nHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024\nWorkqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\nCall trace:\n show_stack+0x28/0x7c (C)\n dump_stack_lvl+0x60/0x80\n print_report+0x160/0x4b4\n kasan_report+0xac/0xfc\n __asan_report_load8_noabort+0x20/0x34\n snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\n snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]\n devm_component_release+0x30/0x5c [snd_soc_core]\n devres_release_all+0x13c/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nAllocated by task 77:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n kasan_save_alloc_info+0x44/0x58\n __kasan_kmalloc+0xbc/0xdc\n __kmalloc_node_track_caller_noprof+0x1f4/0x620\n devm_kmalloc+0x7c/0x1c8\n snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]\n soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]\n snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]\n audioreach_tplg_init+0x124/0x1fc [snd_q6apm]\n q6apm_audio_probe+0x10/0x1c [snd_q6apm]\n snd_soc_component_probe+0x5c/0x118 [snd_soc_core]\n soc_probe_component+0x44c/0xaf0 [snd_soc_core]\n snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]\n snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]\n devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]\n x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]\n platform_probe+0xc0/0x188\n really_probe+0x188/0x804\n __driver_probe_device+0x158/0x358\n driver_probe_device+0x60/0x190\n __device_attach_driver+0x16c/0x2a8\n bus_for_each_drv+0x100/0x194\n __device_attach+0x174/0x380\n device_initial_probe+0x14/0x20\n bus_probe_device+0x124/0x154\n deferred_probe_work_func+0x140/0x220\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nFreed by task 3426:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n __kasan_save_free_info+0x4c/0x80\n __kasan_slab_free+0x78/0xa0\n kfree+0x100/0x4a4\n devres_release_all+0x144/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20"}],"providerMetadata":{"dateUpdated":"2026-04-24T14:42:15.625Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2"},{"url":"https://git.kernel.org/stable/c/30383b7780ffa140bc124de5b66cae7c84133dbb"},{"url":"https://git.kernel.org/stable/c/f7b790531cdad3b2075ab937aa06d7b802403be4"},{"url":"https://git.kernel.org/stable/c/a561a55b79a9c55f0443377f2d4dcf6149d057af"}],"title":"ASoC: qcom: q6apm: move component registration to unmanaged version","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31587","datePublished":"2026-04-24T14:42:15.625Z","dateReserved":"2026-03-09T15:48:24.120Z","dateUpdated":"2026-04-24T14:42:15.625Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-24 15:16:33","lastModifiedDate":"2026-04-24 17:51:40","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31587","Ordinal":"1","Title":"ASoC: qcom: q6apm: move component registration to unmanaged vers","CVE":"CVE-2026-31587","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31587","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: q6apm: move component registration to unmanaged version\n\nq6apm component registers dais dynamically from ASoC toplology, which\nare allocated using device managed version apis. Allocating both\ncomponent and dynamic dais using managed version could lead to incorrect\nfree ordering, dai will be freed while component still holding references\nto it.\n\nFix this issue by moving component to unmanged version so\nthat the dai pointers are only freeded after the component is removed.\n\n==================================================================\nBUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nRead of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426\nTainted: [W]=WARN\nHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024\nWorkqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\nCall trace:\n show_stack+0x28/0x7c (C)\n dump_stack_lvl+0x60/0x80\n print_report+0x160/0x4b4\n kasan_report+0xac/0xfc\n __asan_report_load8_noabort+0x20/0x34\n snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\n snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]\n devm_component_release+0x30/0x5c [snd_soc_core]\n devres_release_all+0x13c/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nAllocated by task 77:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n kasan_save_alloc_info+0x44/0x58\n __kasan_kmalloc+0xbc/0xdc\n __kmalloc_node_track_caller_noprof+0x1f4/0x620\n devm_kmalloc+0x7c/0x1c8\n snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]\n soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]\n snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]\n audioreach_tplg_init+0x124/0x1fc [snd_q6apm]\n q6apm_audio_probe+0x10/0x1c [snd_q6apm]\n snd_soc_component_probe+0x5c/0x118 [snd_soc_core]\n soc_probe_component+0x44c/0xaf0 [snd_soc_core]\n snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]\n snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]\n devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]\n x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]\n platform_probe+0xc0/0x188\n really_probe+0x188/0x804\n __driver_probe_device+0x158/0x358\n driver_probe_device+0x60/0x190\n __device_attach_driver+0x16c/0x2a8\n bus_for_each_drv+0x100/0x194\n __device_attach+0x174/0x380\n device_initial_probe+0x14/0x20\n bus_probe_device+0x124/0x154\n deferred_probe_work_func+0x140/0x220\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20\n\nFreed by task 3426:\n kasan_save_stack+0x40/0x68\n kasan_save_track+0x20/0x40\n __kasan_save_free_info+0x4c/0x80\n __kasan_slab_free+0x78/0xa0\n kfree+0x100/0x4a4\n devres_release_all+0x144/0x210\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x350/0x468\n device_release_driver+0x18/0x30\n bus_remove_device+0x1a0/0x35c\n device_del+0x314/0x7f0\n device_unregister+0x20/0xbc\n apr_remove_device+0x5c/0x7c [apr]\n device_for_each_child+0xd8/0x160\n apr_pd_status+0x7c/0xa8 [apr]\n pdr_notifier_work+0x114/0x240 [pdr_interface]\n process_one_work+0x500/0xb70\n worker_thread+0x630/0xfb0\n kthread+0x370/0x6c0\n ret_from_fork+0x10/0x20","Type":"Description","Title":"ASoC: qcom: q6apm: move component registration to unmanaged vers"}]}}}