CVE-2026-46004

Source
https://cve.org/CVERecord?id=CVE-2026-46004
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46004.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46004
Downstream
Related
Published
2026-05-27T12:56:01.851Z
Modified
2026-06-24T09:14:23.923359911Z
Summary
ALSA: caiaq: Handle probe errors properly
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: Handle probe errors properly

The probe procedure of setupcard() in caiaq driver doesn't treat the error cases gracefully, e.g. the error from sndcardregister() calls sndcardfree() but continues. This would lead to a UAF for the further calls like sndusbcaiaqcontrol_init(), as Berk suggested in another patch in the link below.

However, the problem is not only that; in general, this function drops the all error handlings (as it's a void function) although its caller can propagate an error to sndprobe(), which eventually calls sndcardfree() as a proper error path. That said, we should treat each error case in setupcard(), and just return the error code promptly, which is then handled later as a fatal error in snd_probe().

This patch achieves it by changing the setupcard() to return an error code. Also, the superfluous sndcard_free() call is removed, too.

Note that card->privatefree can be set still safely at returning an error. All called functions in cardfree() have checks of the unassigned resources or NULL checks.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46004.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8e3cd08ed8e590952aa9a656758cb24d4ba898f8
Fixed
da938aa9fc7826901921dcea225948ab21a97e45
Fixed
09616e25f502080ba684fc7fcf959d1376ab756d
Fixed
b956e48371f2ff72b76be9a829800ecec963bd45
Fixed
f537e3ad69609f6924a4db6b4a7f6561f5288bdd
Fixed
6251e3e256337a30160ef59ab1580dde4d1acd28
Fixed
e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056
Fixed
096dd8519cf2f768e9e14f224b627f7aaee1a9c5
Fixed
28abd224db4a49560b452115bca3672a20e45b2f

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46004.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.25
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46004.json"