In the Linux kernel, the following vulnerability has been resolved:
ALSA: caiaq: Handle probe errors properly
The probe procedure of setupcard() in caiaq driver doesn't treat the error cases gracefully, e.g. the error from sndcardregister() calls sndcardfree() but continues. This would lead to a UAF for the further calls like sndusbcaiaqcontrol_init(), as Berk suggested in another patch in the link below.
However, the problem is not only that; in general, this function drops the all error handlings (as it's a void function) although its caller can propagate an error to sndprobe(), which eventually calls sndcardfree() as a proper error path. That said, we should treat each error case in setupcard(), and just return the error code promptly, which is then handled later as a fatal error in snd_probe().
This patch achieves it by changing the setupcard() to return an error code. Also, the superfluous sndcard_free() call is removed, too.
Note that card->privatefree can be set still safely at returning an error. All called functions in cardfree() have checks of the unassigned resources or NULL checks.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46004.json",
"cna_assigner": "Linux"
}