CVE-2026-31701

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The caiaq driver in the ALSA subsystem stores a pointer to the parent USB device in cdev->chip.dev without taking a reference to it. This leads to a use-after-free scenario where the snd usb caiaq card free() callback, executed asynchronously via snd card free when closed(), may attempt to access cdev->chip.dev after the USB device has been disconnected and freed. Additionally, the card free implementation incorrectly calls usb reset device(cdev->chip.dev), which causes a race condition with the disconnect path during teardown.

Recommendations Update the Linux kernel to a version where the create card() function uses usb get dev() to take a reference on the USB device, the free callback uses usb put dev() to release it, and the usb reset device() call is removed.