CVE-2026-53242

HIGH

ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic. Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases.

Scores

CVSS v3 7.8
EPSS 0.0014
EPSS Percentile 3.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-476
Status published
Products (32)
linux/Kernel < 5.10.259linux
linux/Kernel 5.11.0 - 6.1.176linux
linux/Kernel 6.13.0 - 6.18.36linux
linux/Kernel 6.19.0 - 7.0.13linux
linux/Kernel 6.2.0 - 6.6.143linux
linux/Kernel 6.7.0 - 6.12.94linux
Linux/Linux < 7.0
Linux/Linux 4a758e9a1f5ed722f83c4dd35f867fe811553bcb - cd98837db15f323463b8df07282ac723bd5c3fed
Linux/Linux 5.10.253 - 5.10.259
Linux/Linux 5.10.259 - 5.10.*
... and 22 more
Published Jun 25, 2026
Tracked Since Jun 25, 2026