In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 ... snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element.
5.10.103-15.10.103-1~bpo10+15.10.106-15.10.113-15.10.120-15.10.120-1~bpo10+15.10.127-15.10.127-25.10.127-2~bpo10+15.10.136-1+384 more6.1.106-16.1.106-26.1.106-36.1.112-16.1.115-16.1.119-16.1.123-16.1.124-16.1.128-16.1.129-1+230 more6.12.38-16.12.41-16.12.43-16.12.43-1~bpo12+16.12.48-16.12.57-16.12.57-1~bpo12+16.12.63-16.13.10-1~exp16.13.11-1~exp1+64 more