Cyber Resilience

CVE-2026-31581

HighUpdated

Published: 24 April 2026

Published
24 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31581 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31581 is a use-after-free vulnerability in the Linux kernel's ALSA USB 6fire driver (sound/usb/6fire). The issue occurs during device disconnection in usb6fire_chip_abort(), where the chip structure—allocated as the sound card's private data—is freed synchronously via snd_card_free_when_closed() if no file handles are open. A subsequent write to chip->card then accesses freed slab memory, as seen in the call trace from usb6fire_chip_disconnect through hub_event. This affects Linux kernels with the 6fire USB audio support enabled.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring local access (AV:L) in an unchanged security scope (S:U). Successful exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system crashes during USB 6fire device disconnection.

The referenced kernel stable commits provide the mitigation by refactoring the card lifecycle in usb6fire_chip_disconnect(): a local copy of the card pointer is saved before teardown, snd_card_disconnect() is called first to block new opens, URBs are aborted while the chip remains valid, and snd_card_free_when_closed() is invoked last to ensure no post-free chip access. Security practitioners should update to kernels incorporating these patches (e.g., commits 3dc20d1981d6, 51f6532790b7, af75b486f7e8, b9c826916fdc, d21e8a2af486).

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file…

more

handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local low-priv use-after-free in kernel USB driver enables arbitrary code execution in kernel context, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
≤ 6.6.136 · 6.12 — 6.12.83 · 6.13 — 6.18.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in the Linux kernel's ALSA USB 6fire driver by applying the specific patches that refactor the card lifecycle during device disconnection.

detect

Vulnerability scanning detects the presence of CVE-2026-31581 in kernel versions with the 6fire driver enabled, enabling timely patching before local exploitation.

prevent

Memory protection techniques like non-executable memory segments and address space layout randomization hinder exploitation of the use-after-free during USB 6fire device disconnection.

References