{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31475", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:54:04.113Z", "dateUpdated": "2026-04-22T13:54:04.113Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:04.113Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: fix double free of devm_kzalloc() memory\n\nA previous change added NULL checks and cleanup for allocation\nfailures in sma1307_setting_loaded().\n\nHowever, the cleanup for mode_set entries is wrong. Those entries are\nallocated with devm_kzalloc(), so they are device-managed resources and\nmust not be freed with kfree(). Manually freeing them in the error path\ncan lead to a double free when devres later releases the same memory.\n\nDrop the manual kfree() loop and let devres handle the cleanup."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/soc/codecs/sma1307.c"], "versions": [{"version": "0ec6bd16705fe21d6429d6b8f7981eae2142bba8", "lessThan": "d472d1a52985211b92883bb64bbe710b45980190", "status": "affected", "versionType": "git"}, {"version": "0ec6bd16705fe21d6429d6b8f7981eae2142bba8", "lessThan": "1a82c3272626db9006f4c2cad3adf2916417aed6", "status": "affected", "versionType": "git"}, {"version": "0ec6bd16705fe21d6429d6b8f7981eae2142bba8", "lessThan": "fe757092d2329c397ecb32f2bf68a5b1c4bd9193", "status": "affected", "versionType": "git"}, {"version": "f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/soc/codecs/sma1307.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d472d1a52985211b92883bb64bbe710b45980190"}, {"url": "https://git.kernel.org/stable/c/1a82c3272626db9006f4c2cad3adf2916417aed6"}, {"url": "https://git.kernel.org/stable/c/fe757092d2329c397ecb32f2bf68a5b1c4bd9193"}], "title": "ASoC: sma1307: fix double free of devm_kzalloc() memory", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: fix double free of devm_kzalloc() memory\n\nA previous change added NULL checks and cleanup for allocation\nfailures in sma1307_setting_loaded().\n\nHowever, the cleanup for mode_set entries is wrong. Those entries are\nallocated with devm_kzalloc(), so they are device-managed resources and\nmust not be freed with kfree(). Manually freeing them in the error path\ncan lead to a double free when devres later releases the same memory.\n\nDrop the manual kfree() loop and let devres handle the cleanup."}], "id": "CVE-2026-31475", "lastModified": "2026-04-22T14:16:44.207", "metrics": {}, "published": "2026-04-22T14:16:44.207", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1a82c3272626db9006f4c2cad3adf2916417aed6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d472d1a52985211b92883bb64bbe710b45980190"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fe757092d2329c397ecb32f2bf68a5b1c4bd9193"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,d472d1a52985211b92883bb64bbe710b45980190)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,1a82c3272626db9006f4c2cad3adf2916417aed6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0ec6bd16705fe21d6429d6b8f7981eae2142bba8,fe757092d2329c397ecb32f2bf68a5b1c4bd9193)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:56:10.692927+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel release that contains commit 1a82c3272626db9006f4c2cad3adf2916417aed6 which removes the manual kfree cleanup loop", "Verify that the sma1307 audio driver is either updated or disabled if the system remains on an older kernel", "Audit system logs for repeated \"device resource released\" errors as an early indicator of an exploitation attempt"], "summary": {"action": "Patch Immediately", "impact": "Denial of Service / Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Linux kernel source tree. No specific kernel release or version is enumerated in the advisory; it applies to any kernel configuration that includes the sma1307 audio driver prior to the referenced commit that deletes the manual cleanup loop.", "description_and_impact": "A memory management flaw in the Linux kernel\u2019s ASoC audio subsystem allows a double free of device\u2011managed data allocated by devm_kzalloc(). The original cleanup loop incorrectly called kfree(), which can trigger a second free when the device\u2019s resource allocator later releases the same memory. This vulnerability may cause a crash of the audio driver or, in a worst case scenario, arbitrary code execution with kernel\u2011level privileges. The description states that the bug was fixed by removing the manual kfree loop and delegating cleanup to devres.*", "risk_and_exploitability": "Because the change is internal to the kernel, exploitation requires that an attacker can trigger the audio driver\u2019s error path, likely through crafted audio data or device interactions. No EPSS score is supplied, and the issue is not listed in the KEV catalog, but double\u2011free bugs in the kernel are generally considered high\u2011severity. Attackers with local privileges or those able to load the driver can potentially exploit it, making it a high\u2011risk vulnerability if a patched kernel is not in use."}}}}, "created": "2026-04-22T16:45:21.250060+00:00", "updated": "2026-04-22T19:00:08.095241+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}