HIGH Published 2026-04-22

ASoC SMA1307 Memory Double-Free

CVE-2026-31475

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: fix double free of devm_kzalloc() memory A previous change added NULL checks and cleanup for allocation failures in sma1307_setting_loaded(). However, the cleanup for mode_set entries is wrong. Those entries are allocated with devm_kzalloc(), so they are device-managed resources and must not be freed with kfree(). Manually freeing them in the error path can lead to a double free when devres later releases the same memory. Drop the manual kfree() loop and let devres handle the cleanup.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A double-free vulnerability in the SMA1307 audio codec driver could lead to memory corruption and potential system crashes. An attacker with local access who can trigger memory allocation failures during audio device initialization could potentially exploit this to cause denial of service or potentially achieve code execution through heap corruption.

Affectedsound/soc/codecs/sma1307.c

Vulnerability analysis

Root Cause: The sma1307_setting_loaded() function incorrectly uses kfree() to manually free memory that was allocated with devm_kzalloc(). Device-managed memory allocated with devm_kzalloc() is automatically freed by the device resource management system when the device is removed or the driver is unloaded. Manually freeing this memory with kfree() creates a double-free condition when devres later attempts to free the same memory.

Attack Surface: This vulnerability affects the ASoC (ALSA System on Chip) audio subsystem, specifically the SMA1307 audio codec driver. The vulnerability is triggered during device initialization when memory allocation fails, making it a local attack surface that requires the ability to cause memory allocation failures or device probe operations.

Fix Mechanism: The patch removes the manual kfree() calls in the error cleanup path and replaces them with devm_kfree() calls followed by setting the pointers to NULL. This ensures proper cleanup of device-managed resources without creating a double-free condition. The devm_kfree() function is the correct way to manually free device-managed memory before device removal.

03Fix Versions

Branch	Fixed in	Patch commit
6.15	6.15	`d472d1a52985`
6.18	6.18.21	`1a82c3272626`
6.19	6.19.11	`fe757092d232`
mainline	7.0	—