CVE-2026-31701

MEDIUM EPSS 1.9%
Published May 1, 20262mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 1, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device. On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after. Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥6.13  –  <6.18.25
linuxlinux_kernel*≥6.19  –  <7.0.2
linuxlinux_kernel6.13any
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/493b3a682ededc804555755f5d2193201339612d
  • git.kernel.org https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac7345f68cda6989016d85d63f7b244c064aa8f6
  • git.kernel.org https://git.kernel.org/stable/c/dbcf7588e8dea017ddb3f18ec2766f7d2e5f2a0e
  • git.kernel.org https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7
    Patch