CVE-2026-31475 - Vulnerability Details

- ASoC: sma1307: fix double free of devm_kzalloc() memory

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: sma1307: fix double free of devm_kzalloc() memory

A previous change added NULL checks and cleanup for allocation
failures in sma1307_setting_loaded().

However, the cleanup for mode_set entries is wrong. Those entries are
allocated with devm_kzalloc(), so they are device-managed resources and
must not be freed with kfree(). Manually freeing them in the error path
can lead to a double free when devres later releases the same memory.

Drop the manual kfree() loop and let devres handle the cleanup.

Published: 2026-04-22

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A memory management flaw in the Linux kernel’s ASoC audio subsystem allows a double free of device‑managed data allocated by devm_kzalloc(). The original cleanup loop incorrectly called kfree(), which can trigger a second free when the device’s resource allocator later releases the same memory. This vulnerability may cause a crash of the audio driver or, in a worst case scenario, arbitrary code execution with kernel‑level privileges. The description states that the bug was fixed by removing the manual kfree loop and delegating cleanup to devres.*

Affected Systems

The vulnerability exists in the Linux kernel source tree. No specific kernel release or version is enumerated in the advisory; it applies to any kernel configuration that includes the sma1307 audio driver prior to the referenced commit that deletes the manual cleanup loop.

Risk and Exploitability

Because the change is internal to the kernel, exploitation requires that an attacker can trigger the audio driver’s error path, likely through crafted audio data or device interactions. No EPSS score is supplied, and the issue is not listed in the KEV catalog, but double‑free bugs in the kernel are generally considered high‑severity. Attackers with local privileges or those able to load the driver can potentially exploit it, making it a high‑risk vulnerability if a patched kernel is not in use.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0ec6bd16705fe21d6429d6b8f7981eae2142bba8`	affected	< d472d1a52985211b92883bb64bbe710b45980190
`0ec6bd16705fe21d6429d6b8f7981eae2142bba8`	affected	< 1a82c3272626db9006f4c2cad3adf2916417aed6
`0ec6bd16705fe21d6429d6b8f7981eae2142bba8`	affected	< fe757092d2329c397ecb32f2bf68a5b1c4bd9193
`f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c`	affected	—

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,d472d1a52985211b92883bb64bbe710b45980190)`	affected	code_commit	—
`[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,1a82c3272626db9006f4c2cad3adf2916417aed6)`	affected	code_commit	—
`[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,fe757092d2329c397ecb32f2bf68a5b1c4bd9193)`	affected	code_commit	—
`f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.15`	affected	generic	—
`[0,6.15)`	unaffected	semver	—
`[0,6.19.0)`	unaffected	semver	—
`[0,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel release that contains commit 1a82c3272626db9006f4c2cad3adf2916417aed6 which removes the manual kfree cleanup loop
Verify that the sma1307 audio driver is either updated or disabled if the system remains on an older kernel
Audit system logs for repeated "device resource released" errors as an early indicator of an exploitation attempt

Generated by OpenCVE AI on April 22, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1a82c3272626db9006f4c2cad3adf2916417aed6
https://git.kernel.org/stable/c/d472d1a52985211b92883bb64bbe710b45980190
https://git.kernel.org/stable/c/fe757092d2329c397ecb32f2bf68a5b1c4bd9193
https://lore.kernel.org/linux-cve-announce/2026042256-CVE-2026-31475-74ed@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31475
https://www.cve.org/CVERecord?id=CVE-2026-31475

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-763
References		https://lore.kernel.org/linux-cve-announce/2026042256-CVE-2026-31475-74ed@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31475 https://www.cve.org/CVERecord?id=CVE-2026-31475
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 22 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: fix double free of devm_kzalloc() memory A previous change added NULL checks and cleanup for allocation failures in sma1307_setting_loaded(). However, the cleanup for mode_set entries is wrong. Those entries are allocated with devm_kzalloc(), so they are device-managed resources and must not be freed with kfree(). Manually freeing them in the error path can lead to a double free when devres later releases the same memory. Drop the manual kfree() loop and let devres handle the cleanup.
Title		ASoC: sma1307: fix double free of devm_kzalloc() memory
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1a82c3272626db9006f4c2cad3adf2916417aed6 https://git.kernel.org/stable/c/d472d1a52985211b92883bb64bbe710b45980190 https://git.kernel.org/stable/c/fe757092d2329c397ecb32f2bf68a5b1c4bd9193

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:04.113Z

Updated: 2026-04-22T13:54:04.113Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31475

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T14:16:44.207

Modified: 2026-04-22T14:16:44.207

Link: CVE-2026-31475

Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31475 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T19:00:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object