HIGH
usb-audio Mixer UAF
CVE-2026-23089
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in USB audio mixer cleanup can cause kernel crashes or potential code execution when connecting malicious USB audio devices. The bug occurs during device initialization failure paths and affects systems with USB audio support.
Vulnerability analysis
Root Cause: In the USB audio mixer cleanup path, mixer->id_elems memory is freed while ALSA control structures still hold references to elements within that memory. When snd_usb_create_mixer() fails and snd_usb_mixer_free() is called, it frees the id_elems array but doesn't remove the associated controls from the sound card. Later, when snd_card_register() runs, the OSS mixer layer attempts to access these freed control elements through their callbacks, resulting in a use-after-free read.
Attack Surface: This vulnerability is triggered through USB audio device enumeration and requires physical access to connect a malicious or malformed USB audio device. The bug occurs during device probe/initialization when mixer creation fails, making it accessible to any user with USB device access privileges.
Fix Mechanism: The patch fixes the issue by properly cleaning up control references before freeing memory. It iterates through all mixer elements in the id_elems array and calls snd_ctl_remove() to unregister each control from the sound card before freeing the id_elems memory. The code carefully saves the next pointer before calling snd_ctl_remove() since that function frees the current element.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.249 | 51b1aa6fe7dc |
| 5.15 | 5.15.199 | 56fb6efd5d04 |
| 6.1 | 6.1.162 | 7009daeefa94 |
| 6.12 | 6.12.68 | e6f103a22b08 |
| 6.18 | 6.18.8 | dc1a5dd80af1 |
| 6.6 | 6.6.122 | 7bff0156d13f |
| mainline | 6.19 | 930e69757b74 |