CVE-2026-23089

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23089
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23089.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-23089
Downstream
Related
Published
2026-02-04T16:08:12.575Z
Modified
2026-03-24T08:59:13.861883Z
Summary
ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Fix use-after-free in sndusbmixer_free()

When sndusbcreatemixer() fails, sndusbmixerfree() frees mixer->idelems but the controls already added to the card still reference the freed memory. Later when sndcard_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read.

Call trace: getctlvalue+0x63f/0x820 sound/usb/mixer.c:411 getminmaxwithquirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixerctlfeatureinfo+0x26b/0x490 sound/usb/mixer.c:1381 sndmixerossbuildtest+0x174/0x3a0 sound/core/oss/mixeross.c:887 ... sndcardregister+0x4ed/0x6d0 sound/core/init.c:923 usbaudioprobe+0x5ef/0x2a90 sound/usb/card.c:1025

Fix by calling sndctlremove() for all mixer controls before freeing idelems. We save the next pointer first because sndctl_remove() frees the current element.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23089.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6639b6c2367f884ca172b78d69f7da17bfab2e5e
Fixed
51b1aa6fe7dc87356ba58df06afb9677c9b841ea
Fixed
56fb6efd5d04caf6f14994d51ec85393b9a896c6
Fixed
7009daeefa945973a530b2f605fe445fc03747af
Fixed
7bff0156d13f0ad9436e5178b979b063d59f572a
Fixed
e6f103a22b08daf5df2f4aa158081840e5910963
Fixed
dc1a5dd80af1ee1f29d8375b12dd7625f6294dad
Fixed
930e69757b74c3ae083b0c3c7419bfe7f0edc7b2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23089.json"