CVE-2026-31581

EUVD-2026-25474

24.04.2026, 15:16

In the Linux kernel, the following vulnerability has been resolved:

ALSA: 6fire: fix use-after-free on disconnect

In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)).  When
snd_card_free_when_closed() is called and no file handles are open, the
card and embedded chip are freed synchronously.  The subsequent
chip->card = NULL write then hits freed slab memory.

Call trace:
  usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
  usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
  usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
  ...
  hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953

Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
usb6fire_chip_disconnect().  The card pointer is saved in a local
before any teardown, snd_card_disconnect() is called first to prevent
new opens, URBs are aborted while chip is still valid, and
snd_card_free_when_closed() is called last so chip is never accessed
after the card may be freed.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	𝑥 < 6.6.136
linux	linux_kernel	6.12 ≤ 𝑥 < 6.12.83
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.24
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.14
linux	linux_kernel	7.0 ≤ 𝑥 < 7.0.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, welche zu einem Denial-of-Service-Zustand, einer Rechteausweitung, der Ausführung von Code oder einer Speicherbeschädigung führen könnten.
Published: 2026-04-26T22:00:00+00:00

References

https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65

https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185

https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0

https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386

https://git.kernel.org/stable/c/ba88461f7653636c48321ca993006a74724c2f41

https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c

https://git.kernel.org/stable/c/e247a0e01d15ed420f77ec5e2335721bf430a5b3

https://git.kernel.org/stable/c/e719232f4552e29de8027a83918ea94434be87af

https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e