CVE-2026-46048

MEDIUM EPSS 2.4%
Published May 27, 20261mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 27, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usb_dev refcount leak on probe failure create_card() takes a reference on the USB device with usb_get_dev() and stores the matching usb_put_dev() in card_free(), which is installed as the snd_card's ->private_free destructor. However, ->private_free is only assigned near the end of init_card(), after several failure points (usb_set_interface(), EP type checks, usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its timeout). When any of those fail, init_card() returns an error to snd_probe(), which calls snd_card_free(card). Because ->private_free is still NULL, card_free() never runs, the usb_get_dev() reference is not dropped, and the struct usb_device leaks along with its descriptor allocations and device_private. syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call fails with -EIO and triggers the leak. Move the ->private_free assignment into create_card(), immediately after usb_get_dev(), so that every error path reaching snd_card_free() balances the reference. card_free()'s callees (snd_usb_caiaq_input_free, free_urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd_card_new().

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥6.6.136  –  <6.6.140
linuxlinux_kernel*≥6.12.84  –  <6.12.86
linuxlinux_kernel*≥6.18.25  –  <6.18.27
linuxlinux_kernel*≥7.0.2  –  <7.0.4
linuxlinux_kernel7.1any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6fa8dff64fb6c401ced40a05797b327659317498
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c874db8a1d2f9f08161470d00cfe8db2f5cca2cc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6fa8dff64fb6c401ced40a05797b327659317498
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a8d907acc3e5a078c2e5637ff60c30c6d2ddc23a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c874db8a1d2f9f08161470d00cfe8db2f5cca2cc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c
    Patch