Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: Handle probe errors properly

The probe procedure of setup_card() in caiaq driver doesn't treat the
error cases gracefully, e.g. the error from snd_card_register() calls
snd_card_free() but continues. This would lead to a UAF for the
further calls like snd_usb_caiaq_control_init(), as Berk suggested in
another patch in the link below.

However, the problem is not only that; in general, this function drops
the all error handlings (as it's a void function) although its caller
can propagate an error to snd_probe(), which eventually calls
snd_card_free() as a proper error path. That said, we should treat
each error case in setup_card(), and just return the error code
promptly, which is then handled later as a fatal error in snd_probe().

This patch achieves it by changing the setup_card() to return an error
code. Also, the superfluous snd_card_free() call is removed, too.

Note that card->private_free can be set still safely at returning an
error. All called functions in card_free() have checks of the
unassigned resources or NULL checks.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ALSA caiaq driver’s probe routine did not handle errors gracefully. When snd_card_register() failed, the routine called snd_card_free() and then continued executing, exposing the card structure to a use‑after‑free (UAF). This flaw allows a privileged user to cause an arbitrary memory free and subsequently execute code in the kernel context, leading to privilege escalation or denial of service.

Affected Systems

All Linux kernel instances that include the ALSA caiaq driver are susceptible unless the kernel has been updated to the patched version. Specific version information is not cited, so any kernel prior to the patch is considered affected.

Risk and Exploitability

The CVSS score is not provided, but the nature of the vulnerability—an unreclaimed kernel memory free—normally falls into a high severity band. The EPSS score is unavailable and the vulnerability is not present in CISA’s KEV catalog, suggesting no confirmed exploits yet. However, because the kernel can be treated as a local privilege escalation vector, the risk remains significant for systems with the driver enabled.

Generated by OpenCVE AI on May 27, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the patch for the ALSA caiaq probe error handling
  • If a kernel update is not feasible, disable the ALSA caiaq driver or prevent it from loading by setting ‘modprobe.blacklist=caiaq’
  • Monitor system logs for anomalous access violations or use‑after‑free indications, and audit kernel crash dumps for related patterns

Generated by OpenCVE AI on May 27, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Handle probe errors properly The probe procedure of setup_card() in caiaq driver doesn't treat the error cases gracefully, e.g. the error from snd_card_register() calls snd_card_free() but continues. This would lead to a UAF for the further calls like snd_usb_caiaq_control_init(), as Berk suggested in another patch in the link below. However, the problem is not only that; in general, this function drops the all error handlings (as it's a void function) although its caller can propagate an error to snd_probe(), which eventually calls snd_card_free() as a proper error path. That said, we should treat each error case in setup_card(), and just return the error code promptly, which is then handled later as a fatal error in snd_probe(). This patch achieves it by changing the setup_card() to return an error code. Also, the superfluous snd_card_free() call is removed, too. Note that card->private_free can be set still safely at returning an error. All called functions in card_free() have checks of the unassigned resources or NULL checks.
Title ALSA: caiaq: Handle probe errors properly
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:56:01.851Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-46004

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:18.120

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T17:15:38Z

Weaknesses