VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 4, 2026· Updated Apr 15, 2026

CVE-2025-71192

CVE-2025-71192

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: ac97: fix a double free in snd_ac97_controller_register()

If ac97_add_adapter() fails, put_device() is the correct way to drop the device reference. kfree() is not required. Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do the cleanup.

Found by code review.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A double-free vulnerability in the Linux kernel's ALSA AC97 driver during controller registration could lead to memory corruption.

The vulnerability is a double free in snd_ac97_controller_register() in the ALSA AC97 driver. When ac97_add_adapter() fails, the code incorrectly used kfree() instead of put_device(), causing a double free. Additionally, missing kfree() calls when idr_alloc() fails and in ac97_adapter_release() could lead to memory leaks.

Exploitation requires the ability to trigger the error path during AC97 controller registration, which typically involves specific hardware or driver conditions. The vulnerability is reachable locally but prerequisites are limited.

A successful exploit could cause double free memory corruption, potentially leading to system crash or privilege escalation in a kernel context.

The issue was fixed by commits [1] and [2] in the Linux kernel stable trees. Users are advised to apply the latest security updates.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.