{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ALSA: caiaq: Handle probe errors properly",
    "id" : "2482082",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2482082"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nALSA: caiaq: Handle probe errors properly\nThe probe procedure of setup_card() in caiaq driver doesn't treat the\nerror cases gracefully, e.g. the error from snd_card_register() calls\nsnd_card_free() but continues.  This would lead to a UAF for the\nfurther calls like snd_usb_caiaq_control_init(), as Berk suggested in\nanother patch in the link below.\nHowever, the problem is not only that; in general, this function drops\nthe all error handlings (as it's a void function) although its caller\ncan propagate an error to snd_probe(), which eventually calls\nsnd_card_free() as a proper error path.  That said, we should treat\neach error case in setup_card(), and just return the error code\npromptly, which is then handled later as a fatal error in snd_probe().\nThis patch achieves it by changing the setup_card() to return an error\ncode.  Also, the superfluous snd_card_free() call is removed, too.\nNote that card->private_free can be set still safely at returning an\nerror.  All called functions in card_free() have checks of the\nunassigned resources or NULL checks.", "A flaw was found in the Linux kernel, specifically within the ALSA caiaq driver. This vulnerability arises from improper error handling during the `setup_card()` probe procedure. When an error occurs, the system may attempt to use memory that has already been freed, leading to a Use-After-Free (UAF) condition. This could allow a local attacker to potentially cause a system crash (Denial of Service) or execute arbitrary code." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46004\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46004\nhttps://lore.kernel.org/linux-cve-announce/2026052742-CVE-2026-46004-7e24@gregkh/T" ],
  "name" : "CVE-2026-46004",
  "csaw" : false
}