PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46048 Linux CVE debrief

A reference-counting defect in the Linux kernel's ALSA caiaq USB audio driver can cause memory leaks when device probe fails. The driver takes a reference on the USB device during initialization but only installs the matching release callback near the end of a multi-step setup sequence. If any intermediate step fails—such as interface selection, endpoint validation, URB submission, or device info exchange—the error path frees the sound card without releasing the USB device reference, leaking the struct usb_device and its associated allocations. The fix moves the destructor assignment immediately after the reference is taken, ensuring balanced reference counting on all error paths.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators, kernel maintainers, and organizations using Native Instruments USB audio devices with the caiaq driver

Technical summary

The ALSA caiaq driver in the Linux kernel contains a reference counting imbalance in its probe error handling. The create_card() function calls usb_get_dev() to acquire a reference on the USB device, with the matching usb_put_dev() placed in card_free() which is registered as the snd_card's ->private_free destructor. However, ->private_free is assigned only near the end of init_card(), after multiple potential failure points including usb_set_interface(), endpoint type checks, usb_submit_urb(), and the EP1_CMD_GET_DEVICE_INFO exchange with timeout handling. When any of these operations fail, init_card() returns an error to snd_probe(), which invokes snd_card_free(card). Because ->private_free remains NULL, card_free() never executes, the usb_get_dev() reference is never dropped, and the struct usb_device leaks along with its descriptor allocations and device_private. The vulnerability was reproduced with a malformed UAC3 device where usb_set_interface(usb_dev, 0, 1) fails with -EIO. The fix relocates the ->private_free assignment into create_card() immediately after usb_get_dev(), ensuring that every error path reaching snd_card_free() properly balances the reference. The card_free() callees (snd_usb_caiaq_input_free, free_urbs, kfree) tolerate partially-initialized state because the chip private area is zero-initialized by snd_card_new().

Defensive priority

medium

Recommended defensive actions

  • Apply kernel patches from stable branches when available for your distribution
  • Monitor vendor security advisories for backported fixes
  • Restrict physical access to USB ports where untrusted devices may be connected
  • Consider disabling the caiaq driver module if Native Instruments USB audio devices are not required

Evidence notes

The vulnerability description indicates syzbot reproduced the leak using a malformed UAC3 device with only altsetting 0 valid, causing usb_set_interface(usb_dev, 0, 1) to fail with -EIO and trigger the leak path. The fix involves relocating the ->private_free assignment from init_card() to create_card() immediately following usb_get_dev().

Official resources

2026-05-27