Bug 2461471 (CVE-2026-31581) - CVE-2026-31581 kernel: ALSA: 6fire: fix use-after-free on disconnect
Summary: CVE-2026-31581 kernel: ALSA: 6fire: fix use-after-free on disconnect
Keywords:
Status: NEW
Alias: CVE-2026-31581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 15:03 UTC by OSIDB Bzimport
Modified: 2026-06-11 10:13 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:25120 0 None None None 2026-06-10 20:00:19 UTC
Red Hat Product Errata RHSA-2026:25121 0 None None None 2026-06-10 21:39:02 UTC
Red Hat Product Errata RHSA-2026:25191 0 None None None 2026-06-11 06:49:30 UTC
Red Hat Product Errata RHSA-2026:25217 0 None None None 2026-06-11 10:13:30 UTC

Description OSIDB Bzimport 2026-04-24 15:03:22 UTC
In the Linux kernel, the following vulnerability has been resolved:

ALSA: 6fire: fix use-after-free on disconnect

In usb6fire_chip_abort(), the chip struct is allocated as the card's
private data (via snd_card_new with sizeof(struct sfire_chip)).  When
snd_card_free_when_closed() is called and no file handles are open, the
card and embedded chip are freed synchronously.  The subsequent
chip->card = NULL write then hits freed slab memory.

Call trace:
  usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
  usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
  usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
  ...
  hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953

Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
usb6fire_chip_disconnect().  The card pointer is saved in a local
before any teardown, snd_card_disconnect() is called first to prevent
new opens, URBs are aborted while chip is still valid, and
snd_card_free_when_closed() is called last so chip is never accessed
after the card may be freed.

Comment 3 errata-xmlrpc 2026-06-10 20:00:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:25120 https://access.redhat.com/errata/RHSA-2026:25120

Comment 4 errata-xmlrpc 2026-06-10 21:39:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:25121 https://access.redhat.com/errata/RHSA-2026:25121

Comment 5 errata-xmlrpc 2026-06-11 06:49:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:25191 https://access.redhat.com/errata/RHSA-2026:25191

Comment 6 errata-xmlrpc 2026-06-11 10:13:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:25217 https://access.redhat.com/errata/RHSA-2026:25217


Note You need to log in before you can comment on or make changes to this bug.