In the Linux kernel, the following vulnerability has been resolved:
ALSA: caiaq: fix usb_dev refcount leak on probe failure
createcard() takes a reference on the USB device with usbgetdev() and stores the matching usbputdev() in cardfree(), which is installed as the sndcard's ->privatefree destructor.
However, ->privatefree is only assigned near the end of initcard(), after several failure points (usbsetinterface(), EP type checks, usbsubmiturb(), the EP1CMDGETDEVICEINFO exchange, and its timeout). When any of those fail, initcard() returns an error to sndprobe(), which calls sndcardfree(card). Because ->privatefree is still NULL, cardfree() never runs, the usbgetdev() reference is not dropped, and the struct usbdevice leaks along with its descriptor allocations and deviceprivate.
syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; initcard()'s usbsetinterface(usbdev, 0, 1) call fails with -EIO and triggers the leak.
Move the ->privatefree assignment into createcard(), immediately after usbgetdev(), so that every error path reaching sndcardfree() balances the reference. cardfree()'s callees (sndusbcaiaqinputfree, freeurbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by sndcardnew().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46048.json",
"cna_assigner": "Linux"
}