Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: aloop: Fix racy access at PCM trigger

The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.

For addressing the UAF, this patch changes two things:
- It covers the most of code in loopback_check_format() with
cable->lock spinlock, and add the proper NULL checks. This avoids
already some racy accesses.
- In addition, now we try to check the state of the capture PCM stream
that may be stopped in this function, which was the major pain point
leading to UAF.
Published: 2026-02-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel use‑after‑free that could lead to local privilege escalation or denial of service
Action: Apply Patch
AI Analysis

Impact

The ALSA aloop driver in the Linux kernel contains a race between checking the PCM state and stopping a tied substream. Because these operations occur outside the cable lock, frequent trigger calls while the substream is opened or closed can lead to a use‑after‑free in the kernel. A use‑after‑free allows an attacker to corrupt kernel memory and may result in a crash or in the execution of arbitrary code with kernel privileges. The vulnerability is limited to the ALSA loopback device and requires the ability to trigger it, typically through a user‑space audio program.

Affected Systems

All Linux kernel builds are affected until the patch that surrounds the critical code with a spin‑lock and adds null checks is applied. The patch appears in kernel 6.19 releases and backported to earlier releases. Devices running Linux kernels other than the patched versions expose the loopback driver to the race condition described above.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% signals that the likelihood of exploitation is low at present. The vulnerability is local, requiring a program with access to the ALSA loopback device; it is not remotely exploitable. Because it is not listed in the CISA KEV catalog, there is no widespread evidence of active exploitation. Nevertheless, the potential for privilege escalation or service disruption warrants prompt mitigation.

Generated by OpenCVE AI on April 15, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the latest ALSA loopback driver patches
  • If an immediate kernel upgrade is not feasible, restrict access to the ALSA loopback device by adjusting udev rules or file permissions so that only trusted applications can trigger it
  • Monitor the system for kernel crashes or abnormal audio driver behavior, and apply emergency kernel patches or roll back to a known stable release if instability occurs

Generated by OpenCVE AI on April 15, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6141-1 linux security update
History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.
Title ALSA: aloop: Fix racy access at PCM trigger
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:32:23.475Z

Reserved: 2026-01-13T15:37:45.985Z

Link: CVE-2026-23191

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-14T17:15:56.917

Modified: 2026-04-03T14:16:26.377

Link: CVE-2026-23191

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23191 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses