CVE-2026-46048

In the Linux kernel, the following vulnerability has been resolved:

ALSA: caiaq: fix usb dev refcount leak on probe failure

create card() takes a reference on the USB device with usb get dev() and stores the matching usb put dev() in card free(), which is installed as the snd card's ->private free destructor.

However, ->private free is only assigned near the end of init card(), after several failure points (usb set interface(), EP type checks, usb submit urb(), the EP1 CMD GET DEVICE INFO exchange, and its timeout). When any of those fail, init card() returns an error to snd probe(), which calls snd card free(card). Because ->private free is still NULL, card free() never runs, the usb get dev() reference is not dropped, and the struct usb device leaks along with its descriptor allocations and device private.

syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init card()'s usb set interface(usb dev, 0, 1) call fails with -EIO and triggers the leak.

Move the ->private free assignment into create card(), immediately after usb get dev(), so that every error path reaching snd card free() balances the reference. card free()'s callees (snd usb caiaq input free, free urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd card new().