CVE-2026-45992 - Vulnerability Details

Description

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel's ALSA caiaq driver contains a flaw where a pending USB Request Block (URB) named ep1_in_urb may remain allocated when the setup_card() function encounters an error. Because the kernel does not cancel or free this URB on the error path, the resource can leak, consuming kernel memory and potentially degrading system stability or leading to a denial of service. This flaw is a kernel‑level resource management issue that can affect any system running the affected driver version.

Affected Systems

The issue is present in the ALSA caiaq driver of the Linux kernel. No specific kernel version range is listed, so all kernel releases that include this driver are potentially affected unless later superseded by a patch.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is unavailable, but the flaw has not been listed in the CISA KEV catalog. Based on the description, it is inferred that the vulnerability requires local access to the ALSA caiaq driver and a scenario that triggers the setup_card() error path, suggesting a moderate exploitation likelihood. An attacker with the ability to cause the error could exhaust kernel memory or destabilise the system. Remote exploitation without privileged access is unlikely based on the available description.

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f537e3ad69609f6924a4db6b4a7f6561f5288bdd,be62c8bb03b6aec3790a943d4a7567d4d73b8be9)`	affected	code_commit	—
`[6251e3e256337a30160ef59ab1580dde4d1acd28,e0fb842af7052f0ab9e709db0c59300aa4051fc0)`	affected	code_commit	—
`[e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056,1d160e30aa42b7c41163e51366bb34432367260d)`	affected	code_commit	—
`[096dd8519cf2f768e9e14f224b627f7aaee1a9c5,438ab932dc6fef5b001dfeba08a18a491edc8f7b)`	affected	code_commit	—
`[28abd224db4a49560b452115bca3672a20e45b2f,0a7b5221b5b51cc798fcfc3be00d02eade149d69)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`7.1-rc1`	affected	generic	—
`[0,7.1-rc1)`	unaffected	generic	—
`[7.1-rc2,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to the latest stable release that contains the ALSA caiaq driver fix.
If an immediate kernel upgrade is not possible, prevent loading the caiaq driver for devices that could trigger the error path by adding a blacklist entry or disabling the relevant hardware.
Reboot the system after applying the patch or blacklist to ensure all driver instances are re‑initialized.

Generated by OpenCVE AI on May 28, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lore.kernel.org/linux-cve-announce/2026052740-CVE-2026-45992-6b79@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45992
https://www.cve.org/CVERecord?id=CVE-2026-45992

History

Mon, 15 Jun 2026 10:30:00 +0000

Type	Values Removed	Values Added
References	https://git.kernel.org/stable/c/089940d969e13e129b54f104a578cbafd99e308b https://git.kernel.org/stable/c/0a7b5221b5b51cc798fcfc3be00d02eade149d69 https://git.kernel.org/stable/c/1d160e30aa42b7c41163e51366bb34432367260d https://git.kernel.org/stable/c/2d42c3386b7389d33caea7184cdb0188997fa6a9 https://git.kernel.org/stable/c/438ab932dc6fef5b001dfeba08a18a491edc8f7b https://git.kernel.org/stable/c/be62c8bb03b6aec3790a943d4a7567d4d73b8be9 https://git.kernel.org/stable/c/d50223ae98148fcc3bba18e718e4b0608df83bce https://git.kernel.org/stable/c/e0fb842af7052f0ab9e709db0c59300aa4051fc0

Mon, 15 Jun 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description	In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path The previous fix for handling the error from setup_card() missed that an internal URB cdev->ep1_in_urb might have been already submitted beforehand. In the normal case, this URB gets killed at the disconnection, but in the error path, we didn't do it, hence there can be a potential leak. Fix it in the error path for setup_card(), too.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Title	ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path	kernel: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
CPEs	cpe:2.3:o:linux:linux_kernel::::::::

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/089940d969e13e129b54f104a578cbafd99e308b https://git.kernel.org/stable/c/2d42c3386b7389d33caea7184cdb0188997fa6a9 https://git.kernel.org/stable/c/d50223ae98148fcc3bba18e718e4b0608df83bce

Thu, 28 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026052740-CVE-2026-45992-6b79@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45992 https://www.cve.org/CVERecord?id=CVE-2026-45992
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path The previous fix for handling the error from setup_card() missed that an internal URB cdev->ep1_in_urb might have been already submitted beforehand. In the normal case, this URB gets killed at the disconnection, but in the error path, we didn't do it, hence there can be a potential leak. Fix it in the error path for setup_card(), too.
Title		ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0a7b5221b5b51cc798fcfc3be00d02eade149d69 https://git.kernel.org/stable/c/1d160e30aa42b7c41163e51366bb34432367260d https://git.kernel.org/stable/c/438ab932dc6fef5b001dfeba08a18a491edc8f7b https://git.kernel.org/stable/c/be62c8bb03b6aec3790a943d4a7567d4d73b8be9 https://git.kernel.org/stable/c/e0fb842af7052f0ab9e709db0c59300aa4051fc0

Subscriptions

Linux Linux Kernel

MITRE

Status: REJECTED

Assigner: Linux

Published: 2026-05-27T12:55:45.563Z

Updated: 2026-06-15T08:05:14.376Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-45992

Vulnrichment

No data.

NVD

Status : Rejected

Published: 2026-05-27T14:17:16.747

Modified: 2026-06-15T10:16:28.383

Link: CVE-2026-45992

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45992 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T05:30:06Z

Weaknesses

CWE-772
Missing Release of Resource after Effective Lifetime

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object