CVE-2026-31587

Source
https://cve.org/CVERecord?id=CVE-2026-31587
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31587.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31587
Downstream
Related
Published
2026-04-24T14:42:15.625Z
Modified
2026-06-18T03:55:23.461564895Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ASoC: qcom: q6apm: move component registration to unmanaged version
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: qcom: q6apm: move component registration to unmanaged version

q6apm component registers dais dynamically from ASoC toplology, which are allocated using device managed version apis. Allocating both component and dynamic dais using managed version could lead to incorrect free ordering, dai will be freed while component still holding references to it.

Fix this issue by moving component to unmanged version so that the dai pointers are only freeded after the component is removed.

================================================================== BUG: KASAN: slab-use-after-free in sndsocdelcomponentunlocked+0x3d4/0x400 [sndsoccore] Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426 Tainted: [W]=WARN Hardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024 Workqueue: pdrnotifierwq pdrnotifierwork [pdrinterface] Call trace: showstack+0x28/0x7c (C) dumpstacklvl+0x60/0x80 printreport+0x160/0x4b4 kasanreport+0xac/0xfc __asanreportload8noabort+0x20/0x34 sndsocdelcomponentunlocked+0x3d4/0x400 [sndsoccore] sndsocunregistercomponentbydriver+0x50/0x88 [sndsoccore] devmcomponentrelease+0x30/0x5c [sndsoccore] devresreleaseall+0x13c/0x210 deviceunbindcleanup+0x20/0x190 devicereleasedriverinternal+0x350/0x468 devicereleasedriver+0x18/0x30 busremovedevice+0x1a0/0x35c devicedel+0x314/0x7f0 deviceunregister+0x20/0xbc aprremovedevice+0x5c/0x7c [apr] deviceforeachchild+0xd8/0x160 aprpdstatus+0x7c/0xa8 [apr] pdrnotifierwork+0x114/0x240 [pdrinterface] processonework+0x500/0xb70 workerthread+0x630/0xfb0 kthread+0x370/0x6c0 retfromfork+0x10/0x20

Allocated by task 77: kasansavestack+0x40/0x68 kasansavetrack+0x20/0x40 kasansavealloc_info+0x44/0x58 __kasan_kmalloc+0xbc/0xdc __kmallocnodetrackcallernoprof+0x1f4/0x620 devmkmalloc+0x7c/0x1c8 sndsocregisterdai+0x50/0x4f0 [sndsoccore] soctplgpcmelemsload+0x55c/0x1eb8 [sndsoccore] sndsoctplgcomponentload+0x4f8/0xb60 [sndsoccore] audioreachtplginit+0x124/0x1fc [sndq6apm] q6apmaudioprobe+0x10/0x1c [sndq6apm] sndsoccomponentprobe+0x5c/0x118 [sndsoccore] socprobecomponent+0x44c/0xaf0 [sndsoccore] sndsocbindcard+0xad0/0x2370 [sndsoccore] sndsocregistercard+0x3b0/0x4c0 [sndsoccore] devmsndsocregistercard+0x50/0xc8 [sndsoccore] x1e80100platformprobe+0x208/0x368 [sndsocx1e80100] platformprobe+0xc0/0x188 really_probe+0x188/0x804 __driverprobedevice+0x158/0x358 driverprobedevice+0x60/0x190 __deviceattachdriver+0x16c/0x2a8 bus_foreachdrv+0x100/0x194 _deviceattach+0x174/0x380 deviceinitialprobe+0x14/0x20 busprobedevice+0x124/0x154 deferredprobeworkfunc+0x140/0x220 processonework+0x500/0xb70 workerthread+0x630/0xfb0 kthread+0x370/0x6c0 retfromfork+0x10/0x20

Freed by task 3426: kasansavestack+0x40/0x68 kasansavetrack+0x20/0x40 __kasansavefree_info+0x4c/0x80 __kasanslabfree+0x78/0xa0 kfree+0x100/0x4a4 devresreleaseall+0x144/0x210 deviceunbindcleanup+0x20/0x190 devicereleasedriverinternal+0x350/0x468 devicereleasedriver+0x18/0x30 busremovedevice+0x1a0/0x35c devicedel+0x314/0x7f0 deviceunregister+0x20/0xbc aprremovedevice+0x5c/0x7c [apr] deviceforeachchild+0xd8/0x160 aprpdstatus+0x7c/0xa8 [apr] pdrnotifierwork+0x114/0x240 [pdrinterface] processonework+0x500/0xb70 workerthread+0x630/0xfb0 kthread+0x370/0x6c0 retfromfork+0x10/0x20

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31587.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5477518b8a0e8a45239646acd80c9bafc4401522
Fixed
110769a9aa51135ac7ce479a47dfb41924f37664
Fixed
887632163b546a8944b46ef465f1d74e838b727a
Fixed
b7412ed789ffb1e59c8d6f5ab6a6a718963c85e2
Fixed
30383b7780ffa140bc124de5b66cae7c84133dbb
Fixed
f7b790531cdad3b2075ab937aa06d7b802403be4
Fixed
a561a55b79a9c55f0443377f2d4dcf6149d057af
Fixed
6ec1235fc941dac6c011b30ee01d9220ff87e0cd

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31587.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31587.json"