Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: Handle probe errors properly

The probe procedure of setup_card() in caiaq driver doesn't treat the
error cases gracefully, e.g. the error from snd_card_register() calls
snd_card_free() but continues. This would lead to a UAF for the
further calls like snd_usb_caiaq_control_init(), as Berk suggested in
another patch in the link below.

However, the problem is not only that; in general, this function drops
the all error handlings (as it's a void function) although its caller
can propagate an error to snd_probe(), which eventually calls
snd_card_free() as a proper error path. That said, we should treat
each error case in setup_card(), and just return the error code
promptly, which is then handled later as a fatal error in snd_probe().

This patch achieves it by changing the setup_card() to return an error
code. Also, the superfluous snd_card_free() call is removed, too.

Note that card->private_free can be set still safely at returning an
error. All called functions in card_free() have checks of the
unassigned resources or NULL checks.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ALSA caiaq driver’s probe routine did not handle errors properly. When card registration failed, the routine freed the card structure and continued, exposing it to a use‑after‑free (CWE‑825). Based on the description, it is inferred that an attacker with local access could trigger this flaw to corrupt kernel memory, potentially causing a crash or enabling arbitrary kernel code execution.

Affected Systems

All Linux kernel configurations that include the ALSA caiaq driver are vulnerable until the patch that changes the probe routine to return errors is applied. Any kernel version prior to the update is considered affected; specific affected releases are not enumerated in the advisory.

Risk and Exploitability

The CVSS base score of 7.0 indicates high severity. The EPSS score is not available, and the vulnerability is not yet listed in CISA’s KEV catalog, suggesting no publicly confirmed exploits. However, based on the description, it is inferred that because it is a local kernel bug that can lead to privilege escalation or denial of service, the risk remains significant for systems with the driver enabled.

Generated by OpenCVE AI on May 28, 2026 at 05:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Linux kernel release that includes the patch for the ALSA caiaq probe error handling
  • If a kernel update is not immediately possible, disable the caiaq driver from loading by adding ‘modprobe.blacklist=caiaq’ to boot options or module configuration files
  • Monitor kernel logs for suspicious activity related to ALSA operations or kernel crashes, and investigate any crash dumps for signs of use‑after‑free events

Generated by OpenCVE AI on May 28, 2026 at 05:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Handle probe errors properly The probe procedure of setup_card() in caiaq driver doesn't treat the error cases gracefully, e.g. the error from snd_card_register() calls snd_card_free() but continues. This would lead to a UAF for the further calls like snd_usb_caiaq_control_init(), as Berk suggested in another patch in the link below. However, the problem is not only that; in general, this function drops the all error handlings (as it's a void function) although its caller can propagate an error to snd_probe(), which eventually calls snd_card_free() as a proper error path. That said, we should treat each error case in setup_card(), and just return the error code promptly, which is then handled later as a fatal error in snd_probe(). This patch achieves it by changing the setup_card() to return an error code. Also, the superfluous snd_card_free() call is removed, too. Note that card->private_free can be set still safely at returning an error. All called functions in card_free() have checks of the unassigned resources or NULL checks.
Title ALSA: caiaq: Handle probe errors properly
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:47:26.278Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-46004

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:18.120

Modified: 2026-06-16T15:26:04.197

Link: CVE-2026-46004

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46004 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:45:05Z

Weaknesses