{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31581","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.119Z","datePublished":"2026-04-24T14:42:11.557Z","dateUpdated":"2026-05-11T22:11:33.670Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:11:33.670Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: 6fire: fix use-after-free on disconnect\n\nIn usb6fire_chip_abort(), the chip struct is allocated as the card's\nprivate data (via snd_card_new with sizeof(struct sfire_chip)).  When\nsnd_card_free_when_closed() is called and no file handles are open, the\ncard and embedded chip are freed synchronously.  The subsequent\nchip->card = NULL write then hits freed slab memory.\n\nCall trace:\n  usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]\n  usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182\n  usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458\n  ...\n  hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953\n\nFix by moving the card lifecycle out of usb6fire_chip_abort() and into\nusb6fire_chip_disconnect().  The card pointer is saved in a local\nbefore any teardown, snd_card_disconnect() is called first to prevent\nnew opens, URBs are aborted while chip is still valid, and\nsnd_card_free_when_closed() is called last so chip is never accessed\nafter the card may be freed."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["sound/usb/6fire/chip.c"],"versions":[{"version":"b754e831a94f82f2593af806741392903f359168","lessThan":"e88354b381e2006de63d6b052ed7005c9a47d00e","status":"affected","versionType":"git"},{"version":"57860a80f03f9dc69a34a5c37b0941ad032a0a8c","lessThan":"af75b486f7e883e3422ece23c8d727e6815144a0","status":"affected","versionType":"git"},{"version":"a0810c3d6dd2d29a9b92604d682eacd2902ce947","lessThan":"d21e8a2af4869b5890b34e081d5aeadc93e9cd5c","status":"affected","versionType":"git"},{"version":"a0810c3d6dd2d29a9b92604d682eacd2902ce947","lessThan":"3dc20d1981d6a67d8184498a5da272942dde1e65","status":"affected","versionType":"git"},{"version":"a0810c3d6dd2d29a9b92604d682eacd2902ce947","lessThan":"51f6532790b74ffdd6970bc848358a2838c1c185","status":"affected","versionType":"git"},{"version":"a0810c3d6dd2d29a9b92604d682eacd2902ce947","lessThan":"b9c826916fdce6419b94eb0cd8810fdac18c2386","status":"affected","versionType":"git"},{"version":"74357d0b5cd3ef544752bc9f21cbeee4902fae6c","status":"affected","versionType":"git"},{"version":"273eec23467dfbfbd0e4c10302579ba441fb1e13","status":"affected","versionType":"git"},{"version":"f2d06d4e129e2508e356136f99bb20a332ff1a00","status":"affected","versionType":"git"},{"version":"b889a7d68d7e76b8795b754a75c91a2d561d5e8c","status":"affected","versionType":"git"},{"version":"ea8cc56db659cf0ae57073e32a4735ead7bd7ee3","status":"affected","versionType":"git"},{"version":"0df7f4b5cc10f5adf98be0845372e9eef7bb5b09","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["sound/usb/6fire/chip.c"],"versions":[{"version":"6.13","status":"affected"},{"version":"0","lessThan":"6.13","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.83","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0.1","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.64","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.2","versionEndExcluding":"6.12.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.19.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"7.0.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"7.1-rc1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.325"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.287"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.231"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.174"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e"},{"url":"https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0"},{"url":"https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c"},{"url":"https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65"},{"url":"https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185"},{"url":"https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386"}],"title":"ALSA: 6fire: fix use-after-free on disconnect","x_generator":{"engine":"bippy-1.2.0"}}}}