Cyber Resilience

CVE-2026-23089

High

Published: 04 February 2026

Published
04 February 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23089 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-41 (Port and I/O Device Access).

Deeper analysis

CVE-2026-23089 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ALSA USB audio subsystem, specifically in the snd_usb_mixer_free() function. The issue arises when snd_usb_create_mixer() fails: the function frees the mixer->id_elems array, but controls already added to the sound card continue to reference this memory. During subsequent snd_card_register(), the OSS mixer layer invokes callbacks on these controls, triggering a use-after-free read, as seen in the call trace starting from get_ctl_value() in sound/usb/mixer.c.

A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation grants high impacts on confidentiality, integrity, and availability (CVSS 7.8), potentially allowing arbitrary code execution, data corruption, or system crashes via malicious USB audio device interactions during device probing.

The provided kernel stable commit references detail the fix: before freeing id_elems, iterate over mixer controls and call snd_ctl_remove() on each, saving the next pointer first since removal frees the current element. Security practitioners should apply these patches from the linked commits (e.g., 51b1aa6fe7dc87356ba58df06afb9677c9b841ea) to affected Linux kernel versions supporting ALSA USB audio.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the…

more

OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1200 Hardware Additions Initial Access
Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access.
Why these techniques?

UAF in Linux kernel ALSA USB audio enables local privilege escalation via malicious USB device (T1068 Exploitation for Privilege Escalation); directly triggered by hardware addition during probing (T1200 Hardware Additions).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 2.6.13 — 5.10.249 · 5.11 — 5.15.199 · 5.16 — 6.1.162

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the use-after-free vulnerability by requiring timely identification, testing, and deployment of the specific kernel patch that properly removes mixer controls before freeing id_elems.

prevent

Provides kernel-level memory protections such as ASLR, SMEP/SMAP, and stack canaries that mitigate exploitation of the use-after-free read during OSS mixer callbacks.

prevent

Restricts access to USB ports and I/O devices, preventing local attackers from connecting malicious USB audio devices that trigger the flawed snd_usb_create_mixer() failure path.

References