CVE-2026-23089
- Source
- https://cve.org/CVERecord?id=CVE-2026-23089
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23089.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23089
- Downstream
- Related
- Published
- 2026-02-04T16:08:12.575Z
- Modified
- 2026-03-24T08:59:29.116838Z
- Summary
- ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix use-after-free in sndusbmixer_free()
When sndusbcreatemixer() fails, sndusbmixerfree() frees mixer->idelems but the controls already added to the card still reference the freed memory. Later when sndcard_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read.
Call trace: getctlvalue+0x63f/0x820 sound/usb/mixer.c:411 getminmaxwithquirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixerctlfeatureinfo+0x26b/0x490 sound/usb/mixer.c:1381 sndmixerossbuildtest+0x174/0x3a0 sound/core/oss/mixeross.c:887 ... sndcardregister+0x4ed/0x6d0 sound/core/init.c:923 usbaudioprobe+0x5ef/0x2a90 sound/usb/card.c:1025
Fix by calling sndctlremove() for all mixer controls before freeing idelems. We save the next pointer first because sndctl_remove() frees the current element.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23089.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea
- https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6
- https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af
- https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a
- https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2
- https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad
- https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23089.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23089
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6639b6c2367f884ca172b78d69f7da17bfab2e5eFixed51b1aa6fe7dc87356ba58df06afb9677c9b841eaFixed56fb6efd5d04caf6f14994d51ec85393b9a896c6Fixed7009daeefa945973a530b2f605fe445fc03747afFixed7bff0156d13f0ad9436e5178b979b063d59f572aFixede6f103a22b08daf5df2f4aa158081840e5910963Fixeddc1a5dd80af1ee1f29d8375b12dd7625f6294dadFixed930e69757b74c3ae083b0c3c7419bfe7f0edc7b2
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced2.6.13Fixed5.10.249
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.199
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.162
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.122
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.68
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.8