Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: 6fire: fix use-after-free on disconnect

In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)). When
snd_card_free_when_closed() is called and no file handles are open, the
card and embedded chip are freed synchronously. The subsequent
chip->card = NULL write then hits freed slab memory.

Call trace:
usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
...
hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953

Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
usb6fire_chip_disconnect(). The card pointer is saved in a local
before any teardown, snd_card_disconnect() is called first to prevent
new opens, URBs are aborted while chip is still valid, and
snd_card_free_when_closed() is called last so chip is never accessed
after the card may be freed.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free leading to kernel memory corruption and possible privilege escalation or denial of service
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the ALSA 6fire driver of the Linux kernel, where a use‑after‑free occurs during device disconnect. The bug allows the driver to write to freed memory after the ALSA card and its chip structure are released, which can corrupt kernel memory. An attacker could potentially exploit this to gain kernel‑level execution privileges or cause a system crash, affecting confidentiality, integrity, and availability.

Affected Systems

The flaw affects any Linux kernel installation that includes the ALSA 6fire USB audio driver prior to the commit that moves the card lifecycle out of usb6fire_chip_abort. No specific kernel version is listed, so all affected kernel releases that contain the unpatched driver are implicated.

Risk and Exploitability

The CVSS score of 7.8 rates the issue as high impact, while the EPSS score of less than 1 % indicates a low likelihood of widespread exploitation at present. The vulnerability is not yet listed in CISA’s KEV catalog. Exploitation would most likely require physical or local access to the USB audio device, or the ability to cause a disconnect event, making it a local or device‑based attack vector.

Generated by OpenCVE AI on April 28, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the patch fixing the use‑after‑free in the ALSA 6fire driver.
  • Reboot the system after the kernel upgrade to ensure the new driver is loaded and the vulnerable code is no longer active.
  • If an immediate kernel update is unavailable, blacklist or unload the 6fire module (e.g., add "install 6fire /bin/true" to /etc/modprobe.d/blacklist.conf) to prevent the driver from loading and eliminate the risk of the vulnerability being triggered.

Generated by OpenCVE AI on April 28, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.
Title ALSA: 6fire: fix use-after-free on disconnect
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:33.670Z

Reserved: 2026-03-09T15:48:24.119Z

Link: CVE-2026-31581

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:32.797

Modified: 2026-04-27T20:28:08.840

Link: CVE-2026-31581

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31581 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:15:34Z

Weaknesses