{
  "public_date" : "2026-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ASoC: qcom: q6apm: move component registration to unmanaged version",
    "id" : "2461505",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461505"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nASoC: qcom: q6apm: move component registration to unmanaged version\nq6apm component registers dais dynamically from ASoC toplology, which\nare allocated using device managed version apis. Allocating both\ncomponent and dynamic dais using managed version could lead to incorrect\nfree ordering, dai will be freed while component still holding references\nto it.\nFix this issue by moving component to unmanged version so\nthat the dai pointers are only freeded after the component is removed.\n==================================================================\nBUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nRead of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426\nTainted: [W]=WARN\nHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024\nWorkqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\nCall trace:\nshow_stack+0x28/0x7c (C)\ndump_stack_lvl+0x60/0x80\nprint_report+0x160/0x4b4\nkasan_report+0xac/0xfc\n__asan_report_load8_noabort+0x20/0x34\nsnd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]\nsnd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]\ndevm_component_release+0x30/0x5c [snd_soc_core]\ndevres_release_all+0x13c/0x210\ndevice_unbind_cleanup+0x20/0x190\ndevice_release_driver_internal+0x350/0x468\ndevice_release_driver+0x18/0x30\nbus_remove_device+0x1a0/0x35c\ndevice_del+0x314/0x7f0\ndevice_unregister+0x20/0xbc\napr_remove_device+0x5c/0x7c [apr]\ndevice_for_each_child+0xd8/0x160\napr_pd_status+0x7c/0xa8 [apr]\npdr_notifier_work+0x114/0x240 [pdr_interface]\nprocess_one_work+0x500/0xb70\nworker_thread+0x630/0xfb0\nkthread+0x370/0x6c0\nret_from_fork+0x10/0x20\nAllocated by task 77:\nkasan_save_stack+0x40/0x68\nkasan_save_track+0x20/0x40\nkasan_save_alloc_info+0x44/0x58\n__kasan_kmalloc+0xbc/0xdc\n__kmalloc_node_track_caller_noprof+0x1f4/0x620\ndevm_kmalloc+0x7c/0x1c8\nsnd_soc_register_dai+0x50/0x4f0 [snd_soc_core]\nsoc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]\nsnd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]\naudioreach_tplg_init+0x124/0x1fc [snd_q6apm]\nq6apm_audio_probe+0x10/0x1c [snd_q6apm]\nsnd_soc_component_probe+0x5c/0x118 [snd_soc_core]\nsoc_probe_component+0x44c/0xaf0 [snd_soc_core]\nsnd_soc_bind_card+0xad0/0x2370 [snd_soc_core]\nsnd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]\ndevm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]\nx1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]\nplatform_probe+0xc0/0x188\nreally_probe+0x188/0x804\n__driver_probe_device+0x158/0x358\ndriver_probe_device+0x60/0x190\n__device_attach_driver+0x16c/0x2a8\nbus_for_each_drv+0x100/0x194\n__device_attach+0x174/0x380\ndevice_initial_probe+0x14/0x20\nbus_probe_device+0x124/0x154\ndeferred_probe_work_func+0x140/0x220\nprocess_one_work+0x500/0xb70\nworker_thread+0x630/0xfb0\nkthread+0x370/0x6c0\nret_from_fork+0x10/0x20\nFreed by task 3426:\nkasan_save_stack+0x40/0x68\nkasan_save_track+0x20/0x40\n__kasan_save_free_info+0x4c/0x80\n__kasan_slab_free+0x78/0xa0\nkfree+0x100/0x4a4\ndevres_release_all+0x144/0x210\ndevice_unbind_cleanup+0x20/0x190\ndevice_release_driver_internal+0x350/0x468\ndevice_release_driver+0x18/0x30\nbus_remove_device+0x1a0/0x35c\ndevice_del+0x314/0x7f0\ndevice_unregister+0x20/0xbc\napr_remove_device+0x5c/0x7c [apr]\ndevice_for_each_child+0xd8/0x160\napr_pd_status+0x7c/0xa8 [apr]\npdr_notifier_work+0x114/0x240 [pdr_interface]\nprocess_one_work+0x500/0xb70\nworker_thread+0x630/0xfb0\nkthread+0x370/0x6c0\nret_from_fork+0x10/0x20", "A flaw was found in the Linux kernel, specifically within the ASoC (ALSA System on Chip) qcom q6apm component. This vulnerability arises from incorrect memory management during the dynamic registration of digital audio interface (DAI) components. When both the component and its associated DAIs are allocated using device-managed application programming interfaces (APIs), an incorrect freeing order can occur, leading to a use-after-free condition. This can result in system instability or a denial of service." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31587\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31587\nhttps://lore.kernel.org/linux-cve-announce/2026042413-CVE-2026-31587-5afb@gregkh/T" ],
  "name" : "CVE-2026-31587",
  "csaw" : false
}