CVE-2026-31701 - Vulnerability Details

- ALSA: caiaq: take a reference on the USB device in create_card()

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: take a reference on the USB device in create_card()

The caiaq driver stores a pointer to the parent USB device in
cdev->chip.dev but never takes a reference on it. The card's
private_free callback, snd_usb_caiaq_card_free(), can run
asynchronously via snd_card_free_when_closed() after the USB
device has already been disconnected and freed, so any access to
cdev->chip.dev in that path dereferences a freed usb_device.

On top of the refcounting issue, the current card_free implementation
calls usb_reset_device(cdev->chip.dev). A reset in a free callback
is inappropriate: the device is going away, the call takes the
device lock in a teardown context, and the reset races with the
disconnect path that the callback is already cleaning up after.

Take a reference on the USB device in create_card() with
usb_get_dev(), drop it with usb_put_dev() in the free callback,
and remove the usb_reset_device() call.

Published: 2026-05-01

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The ALSA caiaq driver in the Linux kernel fails to increment the reference count for the parent USB device, causing the card’s asynchronous free callback to access freed memory. The callback also attempts to reset the device during teardown, which can race with the disconnect process. This use‑after‑free vulnerability could allow a local attacker controlling a USB audio device to execute arbitrary code in kernel space, potentially escalating privileges.

Affected Systems

Linux kernels that include the ALSA caiaq driver are affected. No specific kernel versions are listed, so all current releases containing this driver are potentially vulnerable until the patch is included.

Risk and Exploitability

The vulnerability qualifies as a high‑severity use‑after‑free in the kernel, providing a locally exploitable path for privilege escalation. No EPSS score is available and the issue is not listed in the CISA KEV catalog. Exploitation would require a physical USB device and local attacker access, but once triggered, the impact could be complete system compromise. The CVSS score of 7.0 indicates a high severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4507a8b9b30344c5ddd8219945f446d47e966a6d`	affected	< f6634af5de728a46792f674a66d7843570cb68f7
`a3f9314752dbb6f6aa1f0f2b4c58243bda800738`	affected	< 1d9be95aee6c6246a21752e60c9519902649f482
`b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c`	affected	< 6473ed16df1fe88051140611b3eb9a49be7f429e
`b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c`	affected	< 59b622a043cffc58b7638cd85ae6c30a0904f8e6
`b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c`	affected	< 80bb50e2d459213cccff3111d5ef98ed4238c0d5
`3993edf44d3df7b6e8c753eac6ac8783473fcbab`	affected	—
`ebad462eec93b0f701dfe4de98990e7355283801`	affected	—
`4dd821dcbfcecf7af6a08370b0b217cde2818acf`	affected	—
`cadf1d8e9ddcd74584ec961aeac14ac549b261d8`	affected	—
`237f3faf0177bdde728fa3106d730d806436aa4d`	affected	—
`dd0de8cb708951cebf727aa045e8242ba651bb52`	affected	—

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.6.136`	unaffected	≤ 6.6.*
`6.12.84`	unaffected	≤ 6.12.*
`6.18.25`	unaffected	≤ 6.18.*
`7.0.2`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4507a8b9b30344c5ddd8219945f446d47e966a6d,f6634af5de728a46792f674a66d7843570cb68f7)`	affected	code_commit	—
`[a3f9314752dbb6f6aa1f0f2b4c58243bda800738,1d9be95aee6c6246a21752e60c9519902649f482)`	affected	code_commit	—
`[b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c,6473ed16df1fe88051140611b3eb9a49be7f429e)`	affected	code_commit	—
`[b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c,59b622a043cffc58b7638cd85ae6c30a0904f8e6)`	affected	code_commit	—
`[b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c,80bb50e2d459213cccff3111d5ef98ed4238c0d5)`	affected	code_commit	—
`3993edf44d3df7b6e8c753eac6ac8783473fcbab`	affected	code_commit	—
`ebad462eec93b0f701dfe4de98990e7355283801`	affected	code_commit	—
`4dd821dcbfcecf7af6a08370b0b217cde2818acf`	affected	code_commit	—
`cadf1d8e9ddcd74584ec961aeac14ac549b261d8`	affected	code_commit	—
`237f3faf0177bdde728fa3106d730d806436aa4d`	affected	code_commit	—
`dd0de8cb708951cebf727aa045e8242ba651bb52`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.13`	affected	semver	—
`[0,6.13)`	unaffected	semver	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.84,6.13.0)`	unaffected	semver	—
`[6.18.25,6.19.0)`	unaffected	semver	—
`[7.0.2,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a Linux kernel version that includes the firmware fix which adds usb_get_dev() in create_card(), usb_put_dev() in the free callback, and removes the usb_reset_device() call.
Rebuild or reload the ALSA caiaq driver after the kernel update to ensure the patched code is in use.
If an immediate kernel upgrade is not possible, disable the caiaq driver for unused USB audio devices by blacklisting the module to prevent the use‑after‑free from being triggered.

Generated by OpenCVE AI on May 2, 2026 at 10:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482
https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6
https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e
https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5
https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7
https://lore.kernel.org/linux-cve-announce/2026050119-CVE-2026-31701-fb7c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31701
https://www.cve.org/CVERecord?id=CVE-2026-31701

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050119-CVE-2026-31701-fb7c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31701 https://www.cve.org/CVERecord?id=CVE-2026-31701
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device. On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after. Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call.
Title		ALSA: caiaq: take a reference on the USB device in create_card()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1d9be95aee6c6246a21752e60c9519902649f482 https://git.kernel.org/stable/c/59b622a043cffc58b7638cd85ae6c30a0904f8e6 https://git.kernel.org/stable/c/6473ed16df1fe88051140611b3eb9a49be7f429e https://git.kernel.org/stable/c/80bb50e2d459213cccff3111d5ef98ed4238c0d5 https://git.kernel.org/stable/c/f6634af5de728a46792f674a66d7843570cb68f7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T13:56:00.869Z

Updated: 2026-05-01T13:56:00.869Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31701

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:20.020

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31701

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31701 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-01T19:45:23Z

Weaknesses

CWE-825

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object