CVE-2026-46048

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: caiaq: fix usb_dev refcount leak on probe failure<br /> <br /> create_card() takes a reference on the USB device with usb_get_dev()<br /> and stores the matching usb_put_dev() in card_free(), which is<br /> installed as the snd_card&amp;#39;s -&gt;private_free destructor.<br /> <br /> However, -&gt;private_free is only assigned near the end of init_card(),<br /> after several failure points (usb_set_interface(), EP type checks,<br /> usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its<br /> timeout). When any of those fail, init_card() returns an error to<br /> snd_probe(), which calls snd_card_free(card). Because -&gt;private_free<br /> is still NULL, card_free() never runs, the usb_get_dev() reference<br /> is not dropped, and the struct usb_device leaks along with its<br /> descriptor allocations and device_private.<br /> <br /> syzbot reproduces this with a malformed UAC3 device whose only valid<br /> altsetting is 0; init_card()&amp;#39;s usb_set_interface(usb_dev, 0, 1) call<br /> fails with -EIO and triggers the leak.<br /> <br /> Move the -&gt;private_free assignment into create_card(), immediately<br /> after usb_get_dev(), so that every error path reaching snd_card_free()<br /> balances the reference. card_free()&amp;#39;s callees (snd_usb_caiaq_input_free,<br /> free_urbs, kfree) already tolerate the partially-initialized state<br /> because the chip private area is zero-initialized by snd_card_new().

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.136 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12.84 (including) 6.12.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.18.25 (including) 6.18.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 7.0.2 (including) 7.0.4 (excluding)
cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*