VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 1, 2026· Updated May 6, 2026

CVE-2026-31701

CVE-2026-31701

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: take a reference on the USB device in create_card()

The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device.

On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after.

Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's ALSA caiaq driver, a missing USB device reference count leads to a use-after-free when the sound card is freed after USB disconnection.

Vulnerability

The ALSA caiaq driver for Native Instruments USB audio devices stores a pointer to the parent USB device in cdev->chip.dev but never increments its reference count via usb_get_dev(). The card's private free callback, snd_usb_caiaq_card_free(), can execute, can run asynchronously through snd_card_free_when_closed() after the USB device has already been disconnected and freed. This results in a use-after-free when the callback accesses cdev->chip.dev [1.dev [1].

Exploitation

An attacker with physical access to the USB port could trigger the race condition by disconnecting the device while the sound card is still in use or being released. No special privileges are required beyond the ability to physically present user. The vulnerability is triggered during normal device removal, not through a crafted input [2].

Impact

A successful exploit could lead to a kernel crash (denial of service) or potentially arbitrary code execution in kernel context, depending on the memory state. The CVSS v3 score of 5.5 (Medium) reflects the need for physical access and the limited scope of confidentiality/integrity impact [3].

Mitigation

The fix, merged into the Linux kernel stable tree, adds usb_get_dev() in create_card() and usb_put_dev() in the free callback, and removes the inappropriate usb_reset_device() call that could cause further issues. Users should apply the latest kernel updates from their distribution [4].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Linux/Kernel4 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.13,<6.18.25
    • cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.