CVE-2026-23089
Published: 04 February 2026
Summary
CVE-2026-23089 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-41 (Port and I/O Device Access).
Deeper analysis
CVE-2026-23089 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ALSA USB audio subsystem, specifically in the snd_usb_mixer_free() function. The issue arises when snd_usb_create_mixer() fails: the function frees the mixer->id_elems array, but controls already added to the sound card continue to reference this memory. During subsequent snd_card_register(), the OSS mixer layer invokes callbacks on these controls, triggering a use-after-free read, as seen in the call trace starting from get_ctl_value() in sound/usb/mixer.c.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation grants high impacts on confidentiality, integrity, and availability (CVSS 7.8), potentially allowing arbitrary code execution, data corruption, or system crashes via malicious USB audio device interactions during device probing.
The provided kernel stable commit references detail the fix: before freeing id_elems, iterate over mixer controls and call snd_ctl_remove() on each, saving the next pointer first since removal frees the current element. Security practitioners should apply these patches from the linked commits (e.g., 51b1aa6fe7dc87356ba58df06afb9677c9b841ea) to affected Linux kernel versions supporting ALSA USB audio.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5453
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the…
more
OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in Linux kernel ALSA USB audio enables local privilege escalation via malicious USB device (T1068 Exploitation for Privilege Escalation); directly triggered by hardware addition during probing (T1200 Hardware Additions).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the use-after-free vulnerability by requiring timely identification, testing, and deployment of the specific kernel patch that properly removes mixer controls before freeing id_elems.
Provides kernel-level memory protections such as ASLR, SMEP/SMAP, and stack canaries that mitigate exploitation of the use-after-free read during OSS mixer callbacks.
Restricts access to USB ports and I/O devices, preventing local attackers from connecting malicious USB audio devices that trigger the flawed snd_usb_create_mixer() failure path.