CVE-2026-31581

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: 6fire: fix use-after-free on disconnect<br /> <br /> In usb6fire_chip_abort(), the chip struct is allocated as the card&amp;#39;s<br /> private data (via snd_card_new with sizeof(struct sfire_chip)). When<br /> snd_card_free_when_closed() is called and no file handles are open, the<br /> card and embedded chip are freed synchronously. The subsequent<br /> chip-&gt;card = NULL write then hits freed slab memory.<br /> <br /> Call trace:<br /> usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]<br /> usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182<br /> usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458<br /> ...<br /> hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953<br /> <br /> Fix by moving the card lifecycle out of usb6fire_chip_abort() and into<br /> usb6fire_chip_disconnect(). The card pointer is saved in a local<br /> before any teardown, snd_card_disconnect() is called first to prevent<br /> new opens, URBs are aborted while chip is still valid, and<br /> snd_card_free_when_closed() is called last so chip is never accessed<br /> after the card may be freed.