7.8
CVE-2026-46090
- EPSS 0.1%
- Veröffentlicht 27.05.2026 12:58:34
- Zuletzt bearbeitet 07.07.2026 12:16:52
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ALSA: aloop: Fix peer runtime UAF during format-change stop
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix peer runtime UAF during format-change stop
loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.
A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.
Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.37 < 5.10.259
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.210
Linux ≫ Linux Kernel Version >= 5.16 < 6.12.88
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.27
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.4
Linux ≫ Linux Kernel Version7.1 Updaterc1
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.012 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-364 Signal Handler Race Condition
The product uses a signal handler that introduces a race condition.
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/03f52a9c170431e8f10e156b9dc0dae80b3e9198
https://git.kernel.org/stable/c/bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c
https://git.kernel.org/stable/c/5d45e34bf001344e2966dabca1897561bbc9e913
https://git.kernel.org/stable/c/e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff
https://git.kernel.org/stable/c/345c24b2bcf0923dfae1ab41497351c68214ff76
https://git.kernel.org/stable/c/83bd62fa9620ac98d5d694bde14c50f98c8e7189
https://bugzilla.redhat.com/show_bug.cgi?id=2481980
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46090.json
https://access.redhat.com/errata/RHSA-2026:27353
https://access.redhat.com/errata/RHSA-2026:27354
https://access.redhat.com/errata/RHSA-2026:33215
https://access.redhat.com/errata/RHSA-2026:34094
https://access.redhat.com/errata/RHSA-2026:34443
https://access.redhat.com/errata/RHSA-2026:35863
https://access.redhat.com/errata/RHSA-2026:35896
https://access.redhat.com/errata/RHSA-2026:30848
https://access.redhat.com/errata/RHSA-2026:33899
https://access.redhat.com/errata/RHSA-2026:33900
https://access.redhat.com/errata/RHSA-2026:34095
https://access.redhat.com/errata/RHSA-2026:35844
https://access.redhat.com/errata/RHSA-2026:33685
https://access.redhat.com/security/cve/CVE-2026-46090