7.8

CVE-2026-46090

ALSA: aloop: Fix peer runtime UAF during format-change stop

In the Linux kernel, the following vulnerability has been resolved:

ALSA: aloop: Fix peer runtime UAF during format-change stop

loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.

A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.

Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.37 < 5.10.259
LinuxLinux Kernel Version >= 5.11 < 5.15.210
LinuxLinux Kernel Version >= 5.16 < 6.12.88
LinuxLinux Kernel Version >= 6.13 < 6.18.27
LinuxLinux Kernel Version >= 6.19 < 7.0.4
LinuxLinux Kernel Version7.1 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.1% 0.012
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-364 Signal Handler Race Condition

The product uses a signal handler that introduces a race condition.

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/03f52a9c170431e8f10e156b9dc0dae80b3e9198
Patch
https://git.kernel.org/stable/c/bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c
Patch
https://git.kernel.org/stable/c/5d45e34bf001344e2966dabca1897561bbc9e913
Patch
https://git.kernel.org/stable/c/e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff
Patch
https://git.kernel.org/stable/c/345c24b2bcf0923dfae1ab41497351c68214ff76
Patch
https://git.kernel.org/stable/c/83bd62fa9620ac98d5d694bde14c50f98c8e7189
Patch
https://bugzilla.redhat.com/show_bug.cgi?id=2481980
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46090.json
https://access.redhat.com/errata/RHSA-2026:27353
https://access.redhat.com/errata/RHSA-2026:27354
https://access.redhat.com/errata/RHSA-2026:33215
https://access.redhat.com/errata/RHSA-2026:34094
https://access.redhat.com/errata/RHSA-2026:34443
https://access.redhat.com/errata/RHSA-2026:35863
https://access.redhat.com/errata/RHSA-2026:35896
https://access.redhat.com/errata/RHSA-2026:30848
https://access.redhat.com/errata/RHSA-2026:33899
https://access.redhat.com/errata/RHSA-2026:33900
https://access.redhat.com/errata/RHSA-2026:34095
https://access.redhat.com/errata/RHSA-2026:35844
https://access.redhat.com/errata/RHSA-2026:33685
https://access.redhat.com/security/cve/CVE-2026-46090