CVE-2026-31581

HIGH EPSS 2.8%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel* <6.6.136
linuxlinux_kernel*≥6.12  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 9

  • git.kernel.org https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ba88461f7653636c48321ca993006a74724c2f41
  • git.kernel.org https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e247a0e01d15ed420f77ec5e2335721bf430a5b3
  • git.kernel.org https://git.kernel.org/stable/c/e719232f4552e29de8027a83918ea94434be87af
  • git.kernel.org https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e
    Patch