CVE-2026-23089

HIGH EPSS 3.3%
Published Feb 4, 20264mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
3.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥2.6.13  –  <5.10.249
linuxlinux_kernel*≥5.11  –  <5.15.199
linuxlinux_kernel*≥5.16  –  <6.1.162
linuxlinux_kernel*≥6.2  –  <6.6.122
linuxlinux_kernel*≥6.7  –  <6.12.68
linuxlinux_kernel*≥6.13  –  <6.18.8
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963
    Patch