Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: fix usb_dev refcount leak on probe failure

create_card() takes a reference on the USB device with usb_get_dev()
and stores the matching usb_put_dev() in card_free(), which is
installed as the snd_card's ->private_free destructor.

However, ->private_free is only assigned near the end of init_card(),
after several failure points (usb_set_interface(), EP type checks,
usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
timeout). When any of those fail, init_card() returns an error to
snd_probe(), which calls snd_card_free(card). Because ->private_free
is still NULL, card_free() never runs, the usb_get_dev() reference
is not dropped, and the struct usb_device leaks along with its
descriptor allocations and device_private.

syzbot reproduces this with a malformed UAC3 device whose only valid
altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
fails with -EIO and triggers the leak.

Move the ->private_free assignment into create_card(), immediately
after usb_get_dev(), so that every error path reaching snd_card_free()
balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
free_urbs, kfree) already tolerate the partially-initialized state
because the chip private area is zero-initialized by snd_card_new().
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During the initialization of an ALSA caiaq audio card in the Linux kernel, a reference counter leak occurs when usb_get_dev is called but usb_put_dev is never executed due to a missing assignment of the private_free destructor on failure paths. This results in an unbalanced reference count on the struct usb_device, causing leaked kernel memory that includes device descriptors and private data. The leak can be triggered by a non-compliant USB device, potentially leading to exhaustion of kernel memory and degraded system stability. No direct remote code execution or privilege escalation is achieved, but repeated exploitation could lead to a denial of service.

Affected Systems

All Linux kernel installations that include the legacy ALSA caiaq driver compiled into the kernel are affected. Affected users are those running operating systems where the ALSA caiaq driver remains enabled, regardless of specific kernel release; the vulnerability exists before the patch that moved the private_free assignment into create_card().

Risk and Exploitability

The flaw can be triggered by an attacker who has the ability to connect a crafted USB device to the target machine, as the kernel performs usb_set_interface on device initialization. Because the exploit requires a hardware USB device and the kernel must be running the caiaq driver, the attack vector is classified as local or semi-physical rather than remote over the network. The EPSS score is not available and the CVE is not listed in the CISA KEV catalog, suggesting that no public exploit has been observed. Nonetheless, repeated failures during card initialization could lead to memory exhaustion, providing a potential denial‑of‑service path that may degrade or crash the host. The severity, though not quantified with a CVSS score, is therefore considered moderate, and the risk can be mitigated by applying the kernel update that addresses the reference count leak.

Generated by OpenCVE AI on May 27, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch which moves the private_free assignment into create_card().
  • If an immediate kernel upgrade is not feasible, disable the ALSA caiaq driver by removing or blacklisting the module to prevent it from being loaded.
  • Replace or avoid using non‑compliant USB audio devices that could trigger the failure paths; ensure connected USB devices adhere to the UAC3 specification.

Generated by OpenCVE AI on May 27, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
CWE-775

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usb_dev refcount leak on probe failure create_card() takes a reference on the USB device with usb_get_dev() and stores the matching usb_put_dev() in card_free(), which is installed as the snd_card's ->private_free destructor. However, ->private_free is only assigned near the end of init_card(), after several failure points (usb_set_interface(), EP type checks, usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its timeout). When any of those fail, init_card() returns an error to snd_probe(), which calls snd_card_free(card). Because ->private_free is still NULL, card_free() never runs, the usb_get_dev() reference is not dropped, and the struct usb_device leaks along with its descriptor allocations and device_private. syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call fails with -EIO and triggers the leak. Move the ->private_free assignment into create_card(), immediately after usb_get_dev(), so that every error path reaching snd_card_free() balances the reference. card_free()'s callees (snd_usb_caiaq_input_free, free_urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd_card_new().
Title ALSA: caiaq: fix usb_dev refcount leak on probe failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:04.477Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46048

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:24.310

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:30:26Z

Weaknesses