CVE-2026-46090

HIGH

ALSA: aloop: Fix peer runtime UAF during format-change stop

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer. Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.

References (22)

Core 22
Core References

Scores

CVSS v3 7.8
EPSS 0.0010
EPSS Percentile 1.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-364 CWE-416
Status published
Products (22)
linux/Kernel 2.6.37 - 5.10.259linux
linux/Kernel 5.11.0 - 5.15.210linux
linux/Kernel 5.16.0 - 6.12.88linux
linux/Kernel 6.13.0 - 6.18.27linux
linux/Kernel 6.19.0 - 7.0.4linux
Linux/Linux < 2.6.37
Linux/Linux 2.6.37
Linux/Linux 5.10.259 - 5.10.*
Linux/Linux 5.15.210 - 5.15.*
Linux/Linux 597603d615d2b19a9e451d8cfac24372856a522d - 03f52a9c170431e8f10e156b9dc0dae80b3e9198
... and 12 more
Published May 27, 2026
Tracked Since May 27, 2026