Description
In the Linux kernel, the following vulnerability has been resolved:

ASoC: sma1307: fix double free of devm_kzalloc() memory

A previous change added NULL checks and cleanup for allocation
failures in sma1307_setting_loaded().

However, the cleanup for mode_set entries is wrong. Those entries are
allocated with devm_kzalloc(), so they are device-managed resources and
must not be freed with kfree(). Manually freeing them in the error path
can lead to a double free when devres later releases the same memory.

Drop the manual kfree() loop and let devres handle the cleanup.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

A memory‑management flaw was discovered in the Linux kernel’s Advanced Sound Architecture (ASoC) driver for the sma1307 audio codec. The bug arises when the driver attempts to free device‑managed memory allocated with devm_kzalloc() via a manual kfree() loop during error handling. Because devm_kzalloc() memory is automatically freed by the device‑resource allocator, the manual kfree causes a double‑free (CWE-415). This misuse also violates device‑resource management best practices (CWE-763). A double‑free can corrupt kernel memory, potentially leading to a kernel panic or other unintended behavior, but there is no documented evidence that it can be leveraged for privilege escalation.

Affected Systems

Affected systems run Linux kernel versions that include the sma1307 driver before the revert commit. The vulnerability is present in kernel 6.15 and all 7.0 release candidates up to rc7. Any system that has the sma1307 driver enabled and is running a kernel before the applied patch is susceptible. Systems using more recent stable kernels that incorporate the fix are not affected.

Risk and Exploitability

The CVSS score of 7.8 reflects high severity, while the EPSS score of < 1 % indicates a low likelihood of exploitation in the wild. The issue is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to trigger the driver’s error path, which generally necessitates local presence or the ability to load the driver. Once triggered, it can lead to a kernel panic, service disruption, or other unintended behavior. Administrators should treat it as a high‑risk local vulnerability.

Generated by OpenCVE AI on April 29, 2026 at 00:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that integrates commit 1a82c3272626db9006f4c2cad3adf2916417aed6, such as the latest 6.15 or 7.0 release that contains the fix.
  • If the sma1307 audio codec is not required, disable or unload the driver to remove the attack surface.
  • Continuously monitor kernel logs (e.g., dmesg) for indications of double‑free, kfree errors, or unexpected crashes that could signal an attempted exploitation.

Generated by OpenCVE AI on April 29, 2026 at 00:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: fix double free of devm_kzalloc() memory A previous change added NULL checks and cleanup for allocation failures in sma1307_setting_loaded(). However, the cleanup for mode_set entries is wrong. Those entries are allocated with devm_kzalloc(), so they are device-managed resources and must not be freed with kfree(). Manually freeing them in the error path can lead to a double free when devres later releases the same memory. Drop the manual kfree() loop and let devres handle the cleanup.
Title ASoC: sma1307: fix double free of devm_kzalloc() memory
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:05:07.958Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31475

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:44.207

Modified: 2026-04-27T23:25:50.330

Link: CVE-2026-31475

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31475 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:15:43Z

Weaknesses