Expired Pointer Dereference The advisory has been revoked - it doesn't affect any version of package perf (opens in a new tab)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS6-PERF-16292378
- published25 Apr 2026
- disclosed24 Apr 2026
Introduced: 24 Apr 2026
CVE-2026-31581 (opens in a new tab)Amendment
The Centos security team deemed this advisory irrelevant for Centos:6.
NVD Description
Note: Versions mentioned in the description apply only to the upstream perf package and not the perf package as distributed by Centos.
In the Linux kernel, the following vulnerability has been resolved:
ALSA: 6fire: fix use-after-free on disconnect
In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory.
Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953
Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.
References
- https://access.redhat.com/security/cve/CVE-2026-31581
- https://git.kernel.org/stable/c/3dc20d1981d6a67d8184498a5da272942dde1e65
- https://git.kernel.org/stable/c/51f6532790b74ffdd6970bc848358a2838c1c185
- https://git.kernel.org/stable/c/af75b486f7e883e3422ece23c8d727e6815144a0
- https://git.kernel.org/stable/c/b9c826916fdce6419b94eb0cd8810fdac18c2386
- https://git.kernel.org/stable/c/d21e8a2af4869b5890b34e081d5aeadc93e9cd5c
- https://git.kernel.org/stable/c/e88354b381e2006de63d6b052ed7005c9a47d00e
- https://git.kernel.org/stable/c/ba88461f7653636c48321ca993006a74724c2f41
- https://git.kernel.org/stable/c/e247a0e01d15ed420f77ec5e2335721bf430a5b3
- https://git.kernel.org/stable/c/e719232f4552e29de8027a83918ea94434be87af