{"api_version":"1","generated_at":"2026-05-28T04:23:43+00:00","cve":"CVE-2026-46048","urls":{"html":"https://cve.report/CVE-2026-46048","api":"https://cve.report/api/cve/CVE-2026-46048.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46048","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46048"},"summary":{"title":"ALSA: caiaq: fix usb_dev refcount leak on probe failure","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: fix usb_dev refcount leak on probe failure\n\ncreate_card() takes a reference on the USB device with usb_get_dev()\nand stores the matching usb_put_dev() in card_free(), which is\ninstalled as the snd_card's ->private_free destructor.\n\nHowever, ->private_free is only assigned near the end of init_card(),\nafter several failure points (usb_set_interface(), EP type checks,\nusb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its\ntimeout). When any of those fail, init_card() returns an error to\nsnd_probe(), which calls snd_card_free(card). Because ->private_free\nis still NULL, card_free() never runs, the usb_get_dev() reference\nis not dropped, and the struct usb_device leaks along with its\ndescriptor allocations and device_private.\n\nsyzbot reproduces this with a malformed UAC3 device whose only valid\naltsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call\nfails with -EIO and triggers the leak.\n\nMove the ->private_free assignment into create_card(), immediately\nafter usb_get_dev(), so that every error path reaching snd_card_free()\nbalances the reference. card_free()'s callees (snd_usb_caiaq_input_free,\nfree_urbs, kfree) already tolerate the partially-initialized state\nbecause the chip private area is zero-initialized by snd_card_new().","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:24","updated_at":"2026-05-27 14:48:03"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657","name":"https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c","name":"https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b","name":"https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8","name":"https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907","name":"https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46048","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46048","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f6634af5de728a46792f674a66d7843570cb68f7 50c6a1f05973f56d23280c9d7645a7a5734e0907 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1d9be95aee6c6246a21752e60c9519902649f482 da3b8fd6a202d94fef11a443abc9171c52426a1c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6473ed16df1fe88051140611b3eb9a49be7f429e 6153878c5255bb69b7d0868105ca078ef13cbcf8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 59b622a043cffc58b7638cd85ae6c30a0904f8e6 21ca595aafa40d3ac70eab1f4cb62cc00ca21657 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 80bb50e2d459213cccff3111d5ef98ed4238c0d5 7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.136 6.6.140 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12.84 6.12.86 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.18.25 6.18.27 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7.0.2 7.0.4 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7.1-rc1","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc1 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.140 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.86 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.27 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.4 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1-rc2 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["sound/usb/caiaq/device.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"50c6a1f05973f56d23280c9d7645a7a5734e0907","status":"affected","version":"f6634af5de728a46792f674a66d7843570cb68f7","versionType":"git"},{"lessThan":"da3b8fd6a202d94fef11a443abc9171c52426a1c","status":"affected","version":"1d9be95aee6c6246a21752e60c9519902649f482","versionType":"git"},{"lessThan":"6153878c5255bb69b7d0868105ca078ef13cbcf8","status":"affected","version":"6473ed16df1fe88051140611b3eb9a49be7f429e","versionType":"git"},{"lessThan":"21ca595aafa40d3ac70eab1f4cb62cc00ca21657","status":"affected","version":"59b622a043cffc58b7638cd85ae6c30a0904f8e6","versionType":"git"},{"lessThan":"7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b","status":"affected","version":"80bb50e2d459213cccff3111d5ef98ed4238c0d5","versionType":"git"},{"lessThan":"6.6.140","status":"affected","version":"6.6.136","versionType":"semver"},{"lessThan":"6.12.86","status":"affected","version":"6.12.84","versionType":"semver"},{"lessThan":"6.18.27","status":"affected","version":"6.18.25","versionType":"semver"},{"lessThan":"7.0.4","status":"affected","version":"7.0.2","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["sound/usb/caiaq/device.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"7.1-rc1"},{"lessThan":"7.1-rc1","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.140","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.86","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.27","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1-rc2","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.140","versionStartIncluding":"6.6.136","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.86","versionStartIncluding":"6.12.84","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.27","versionStartIncluding":"6.18.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.4","versionStartIncluding":"7.0.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1-rc2","versionStartIncluding":"7.1-rc1","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: fix usb_dev refcount leak on probe failure\n\ncreate_card() takes a reference on the USB device with usb_get_dev()\nand stores the matching usb_put_dev() in card_free(), which is\ninstalled as the snd_card's ->private_free destructor.\n\nHowever, ->private_free is only assigned near the end of init_card(),\nafter several failure points (usb_set_interface(), EP type checks,\nusb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its\ntimeout). When any of those fail, init_card() returns an error to\nsnd_probe(), which calls snd_card_free(card). Because ->private_free\nis still NULL, card_free() never runs, the usb_get_dev() reference\nis not dropped, and the struct usb_device leaks along with its\ndescriptor allocations and device_private.\n\nsyzbot reproduces this with a malformed UAC3 device whose only valid\naltsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call\nfails with -EIO and triggers the leak.\n\nMove the ->private_free assignment into create_card(), immediately\nafter usb_get_dev(), so that every error path reaching snd_card_free()\nbalances the reference. card_free()'s callees (snd_usb_caiaq_input_free,\nfree_urbs, kfree) already tolerate the partially-initialized state\nbecause the chip private area is zero-initialized by snd_card_new()."}],"providerMetadata":{"dateUpdated":"2026-05-27T12:57:04.477Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907"},{"url":"https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c"},{"url":"https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8"},{"url":"https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657"},{"url":"https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b"}],"title":"ALSA: caiaq: fix usb_dev refcount leak on probe failure","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-46048","datePublished":"2026-05-27T12:57:04.477Z","dateReserved":"2026-05-13T15:03:33.094Z","dateUpdated":"2026-05-27T12:57:04.477Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:24","lastModifiedDate":"2026-05-27 14:48:03","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46048","Ordinal":"1","Title":"ALSA: caiaq: fix usb_dev refcount leak on probe failure","CVE":"CVE-2026-46048","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46048","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: caiaq: fix usb_dev refcount leak on probe failure\n\ncreate_card() takes a reference on the USB device with usb_get_dev()\nand stores the matching usb_put_dev() in card_free(), which is\ninstalled as the snd_card's ->private_free destructor.\n\nHowever, ->private_free is only assigned near the end of init_card(),\nafter several failure points (usb_set_interface(), EP type checks,\nusb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its\ntimeout). When any of those fail, init_card() returns an error to\nsnd_probe(), which calls snd_card_free(card). Because ->private_free\nis still NULL, card_free() never runs, the usb_get_dev() reference\nis not dropped, and the struct usb_device leaks along with its\ndescriptor allocations and device_private.\n\nsyzbot reproduces this with a malformed UAC3 device whose only valid\naltsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call\nfails with -EIO and triggers the leak.\n\nMove the ->private_free assignment into create_card(), immediately\nafter usb_get_dev(), so that every error path reaching snd_card_free()\nbalances the reference. card_free()'s callees (snd_usb_caiaq_input_free,\nfree_urbs, kfree) already tolerate the partially-initialized state\nbecause the chip private area is zero-initialized by snd_card_new().","Type":"Description","Title":"ALSA: caiaq: fix usb_dev refcount leak on probe failure"}]}}}