HIGH
alsa 6fire Chip UAF
CVE-2026-31581
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the ALSA 6fire USB audio driver that occurs when a TerraTec DMX 6Fire USB device is disconnected. An attacker with physical access could potentially trigger memory corruption by disconnecting the device, though exploitation would be challenging due to the specific timing requirements and kernel memory layout dependencies.
Vulnerability analysis
Root Cause: In usb6fire_chip_abort(), the chip struct is embedded within the card's private data. When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. However, the code then attempts to write 'chip->card = NULL' to the already-freed chip memory, causing a use-after-free condition.
Attack Surface: This vulnerability is triggered through USB device disconnect events, requiring physical access to disconnect a TerraTec DMX 6Fire USB audio device. The bug occurs in kernel space during the USB subsystem's device removal handling.
Fix Mechanism: The fix restructures the disconnect flow by moving card lifecycle management out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). It saves the card pointer in a local variable before teardown, calls snd_card_disconnect() first to prevent new opens, aborts URBs while the chip is still valid, and calls snd_card_free_when_closed() last to ensure the chip is never accessed after the card may be freed.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 4.20 | 4.20 | d21e8a2af486 |
| 5.10 | 5.10.258 | e719232f4552 |
| 5.15 | 5.15.209 | e247a0e01d15 |
| 5.5 | 5.5 | 3dc20d1981d6 |
| 6.1 | 6.1.175 | ba88461f7653 |
| 6.12 | 6.12.83 | af75b486f7e8 |
| 6.18 | 6.18.24 | 51f6532790b7 |
| 6.19 | 6.19.14 | b9c826916fdc |
| 6.6 | 6.6.136 | e88354b381e2 |
| 7.0 | 7.0.1 | — |
| mainline | 7.1-rc1 | — |