{ "threat_severity" : "Moderate", "public_date" : "2026-04-24T00:00:00Z", "bugzilla" : { "description" : "kernel: ALSA: 6fire: fix use-after-free on disconnect", "id" : "2461471", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461471" }, "cvss3" : { "cvss3_base_score" : "6.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nALSA: 6fire: fix use-after-free on disconnect\nIn usb6fire_chip_abort(), the chip struct is allocated as the card's\nprivate data (via snd_card_new with sizeof(struct sfire_chip)). When\nsnd_card_free_when_closed() is called and no file handles are open, the\ncard and embedded chip are freed synchronously. The subsequent\nchip->card = NULL write then hits freed slab memory.\nCall trace:\nusb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]\nusb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182\nusb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458\n...\nhub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953\nFix by moving the card lifecycle out of usb6fire_chip_abort() and into\nusb6fire_chip_disconnect(). The card pointer is saved in a local\nbefore any teardown, snd_card_disconnect() is called first to prevent\nnew opens, URBs are aborted while chip is still valid, and\nsnd_card_free_when_closed() is called last so chip is never accessed\nafter the card may be freed.", "A flaw was found in the Linux kernel's ALSA 6fire USB audio device driver. During the disconnection process of a 6fire USB audio device, a use-after-free vulnerability occurs. This happens when the system attempts to write to memory that has already been deallocated, which can lead to memory corruption and potentially cause system instability or a denial of service." ], "statement" : "The 6fire USB audio disconnect path could touch freed memory; upstream hardens teardown ordering. Red Hat customers using this rare interface should update kernels. Optional mitigation is unloading the 6fire ALSA USB driver module where unused.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31581\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31581\nhttps://lore.kernel.org/linux-cve-announce/2026042411-CVE-2026-31581-9bc2@gregkh/T" ], "name" : "CVE-2026-31581", "mitigation" : { "value" : "To mitigate this issue, prevent the snd_usb_6fire module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }