Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45992

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

The previous fix for handling the error from setup_card() missed that an internal URB cdev->ep1_in_urb might have been already submitted beforehand. In the normal case, this URB gets killed at the disconnection, but in the error path, we didn't do it, hence there can be a potential leak.

Fix it in the error path for setup_card(), too.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free or resource leak in the Linux kernel's ALSA caiaq driver can occur due to a missed URB cleanup in the error path of setup_card().

Vulnerability

The Linux kernel's ALSA caiaq driver (sound/usb/caiaq/) contains a flaw in the error handling of setup_card(). The previous fix addressing an error from setup_card() did not account for the internal URB cdev->ep1_in_urb, which may have already been submitted before the error path is taken. In the normal disconnection path, this URB is properly killed, but the error path omits this step, leading to a potential resource leak. This affects kernel versions that include the prior incomplete fix (the commit referenced as [1]) and may also impact earlier versions where the error path lacks this cleanup. The specific commit 438ab932dc6fef5b001dfeba08a18a491edc8f7b introduces the fix described here.

Exploitation

An attacker would need to trigger an error condition in setup_card() after the URB ep1_in_urb has been submitted. This could be achieved by inserting a non-compliant or faulty USB device that causes setup_card() to fail at the right moment, or by influencing system state (e.g., via memory pressure or other resource constraints) that leads to an error return while the URB is active. No special privileges beyond USB device access are required, though physical or logical USB device attachment is necessary.

Impact

If the URB is not killed, it remains scheduled in the USB core. Upon driver unbind or device disconnect, this may lead to a use-after-free condition when the URB completes after its context (the cdev structure) has been freed. This can result in a kernel crash, memory corruption, or potentially arbitrary code execution. The severity is dependent on system configuration and the attacker's ability to control the timing and content of the URB completion.

Mitigation

The fix is included in commit 438ab932dc6fef5b001dfeba08a18a491edc8f7b, which was applied to the Linux kernel stable trees. Users should update to a kernel version containing this fix. As of the publication date (2026-05-27), the fix is available in the mainline and stable repositories. Administrators can verify whether their kernel includes the fix by checking the commit ID. No workaround is available, but the exposure is limited to systems that use the caiaq driver (typically for Native Instruments USB audio devices).

References

Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Linux/Kernelllm-fuzzy

Patches

1d160e30aa42

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 6.18.27via kernel-cna

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee3e..e6fe82e4e3d75a 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

be62c8bb03b6

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 6.6.140via kernel-cna

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee3e..e6fe82e4e3d75a 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

e0fb842af705

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 6.12.86via kernel-cna

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee3e..e6fe82e4e3d75a 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

438ab932dc6f

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 7.0.4via kernel-cna

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee3e..e6fe82e4e3d75a 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

0a7b5221b5b5

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTakashi IwaiApr 27, 2026Fixed in 7.1-rc2via kernel-cna

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index ad9f744b496bfb..1afd91e2739659 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

e0fb842af705

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee3e..e6fe82e4e3d75a 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

be62c8bb03b6

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee3e..e6fe82e4e3d75a 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

0a7b5221b5b5

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index ad9f744b496bfb..1afd91e2739659 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

1d160e30aa42

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee3e..e6fe82e4e3d75a 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

438ab932dc6f

ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTakashi IwaiApr 27, 2026via nvd-ref

commit

1 file changed · +1 −2

sound/usb/caiaq/device.c+1 −2 modified

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee3e..e6fe82e4e3d75a 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -514,7 +514,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
-		return err;
+		goto err_kill_urb;
 
 	return 0;
 
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing URB cleanup in the error path of init_card() when setup_card() fails, leaving a previously submitted URB (cdev->ep1_in_urb) dangling."

Attack vector

An attacker with physical access to a USB port can plug a Native Instruments caiaq device that triggers a failure in setup_card() during driver probe. If the device causes setup_card() to return an error after cdev->ep1_in_urb has already been submitted, the error path in init_card() previously returned the error directly without killing that URB. This leaves a lingering URB reference that can lead to a resource leak (URB never freed). No special network path or authentication is required; the attack vector is local USB device insertion.

Affected code

The vulnerable code is in sound/usb/caiaq/device.c, in the function init_card(). When setup_card(cdev) returns a negative error code, the original code did "return err" without first killing the potentially already-submitted cdev->ep1_in_urb. The patch changes this to "goto err_kill_urb" so that the existing URB cleanup path is taken.

What the fix does

The patch changes the error return in init_card() from "return err" to "goto err_kill_urb" [patch_id=2660622]. The err_kill_urb label (present elsewhere in the function) calls usb_kill_urb() on cdev->ep1_in_urb before returning. This ensures that if setup_card() fails after the URB has been submitted, the URB is properly killed and freed rather than left dangling. The fix closes a resource leak that was missed by the earlier commit 28abd224db4a ("ALSA: caiaq: Handle probe errors properly").

Preconditions

inputA USB device that causes setup_card() to fail after cdev->ep1_in_urb has been submitted.
authNo authentication required; physical USB access is sufficient.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000