PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45992 Linux CVE debrief

A vulnerability in the Linux kernel's ALSA caiaq audio driver could allow a resource leak when device initialization fails. The issue occurs because an internal USB Request Block (URB) named `ep1_in_urb` may be submitted before `setup_card()` encounters an error, but was not properly cleaned up in that error path. While the URB is normally killed during device disconnection, the error path lacked this cleanup, potentially leaving the URB active. This is a local issue affecting kernel memory management rather than a remotely exploitable vulnerability. The fix ensures the URB is properly killed in the error path of `setup_card()`.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with Native Instruments CAIAQ-based audio devices (such as certain DJ controllers and audio interfaces) should apply kernel updates when available. General Linux users without this specific hardware are minimally affected.

Technical summary

The ALSA caiaq driver in the Linux kernel failed to kill the `ep1_in_urb` USB Request Block when `setup_card()` returned an error, potentially leaving an active URB that should have been cleaned up. The fix adds proper URB cleanup to the error path.

Defensive priority

low

Recommended defensive actions

  • Apply kernel updates containing the referenced stable commits when available from your Linux distribution
  • Monitor vendor security advisories for kernel package updates addressing CVE-2026-45992
  • No immediate action required for systems not using Native Instruments CAIAQ audio devices
  • Review systems with attached Native Instruments audio interfaces for kernel update status

Evidence notes

The CVE description and kernel commit references confirm this is a fix for a URB leak in the ALSA caiaq driver error path. The vulnerability requires local access to trigger the specific error condition in device initialization. No CVSS score has been assigned as of the CVE publication date.

Official resources

2026-05-27