CVE-2026-23089
Published: Feb 4, 2026
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 6639b6c2367f884ca172b78d69f7da17bfab2e5e - < 51b1aa6fe7dc87356ba58df06afb9677c9b841eaaffected 6639b6c2367f884ca172b78d69f7da17bfab2e5e - < 56fb6efd5d04caf6f14994d51ec85393b9a896c6affected 6639b6c2367f884ca172b78d69f7da17bfab2e5e - < 7009daeefa945973a530b2f605fe445fc03747afaffected 6639b6c2367f884ca172b78d69f7da17bfab2e5e - < 7bff0156d13f0ad9436e5178b979b063d59f572aaffected 6639b6c2367f884ca172b78d69f7da17bfab2e5e - < e6f103a22b08daf5df2f4aa158081840e5910963+2 more versions |
Linux | Linux | affected 2.6.13unaffected 0 - < 2.6.13unaffected 5.10.249 - <= 5.10.*unaffected 5.15.199 - <= 5.15.*unaffected 6.1.162 - <= 6.1.*+4 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now