Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()

In the drain loop, the local variable 'runtime' is reassigned to a
linked stream's runtime (runtime = s->runtime at line 2157). After
releasing the stream lock at line 2169, the code accesses
runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
(lines 2170-2178) — all referencing the linked stream's runtime without
any lock or refcount protecting its lifetime.

A concurrent close() on the linked stream's fd triggers
snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).
No synchronization prevents kfree(runtime) from completing while the
drain path dereferences the stale pointer.

Fix by caching the needed runtime fields (no_period_wakeup, rate,
buffer_size) into local variables while still holding the stream lock,
and using the cached values after the lock is released.
Published: 2026-05-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw touches the ALSA subsystem in the Linux kernel. During a pcm drain operation, a stream's runtime pointer is reused after its lock is released and a concurrent close frees the runtime structure, leaving a stale pointer that is dereferenced. This use‑after‑free can corrupt memory and, depending on context, may allow an attacker to execute arbitrary code or cause a crash.

Affected Systems

Affected systems are Linux kernel builds that include the ALSA PCM subsystem. The CVE description references the pcm drain loop around lines 2150‑2180, but no specific kernel releases or version numbers are listed. As a result, the affected version range cannot be determined solely from the provided data. Security teams should verify their kernel versions against the kernel source that contains the patch and assess whether their builds include the vulnerable code path.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The use‑after‑free occurs during a PCM drain operation without appropriate locking, potentially allowing a concurrent close to free the runtime structure while the drain logic continues to dereference it. This flaw can lead to memory corruption within the kernel, which is a local issue. No publicly released exploit is known from the CVE data, and the EPSS score of <1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 11, 2026 at 09:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that contains the ALSA use‑after‑free fix
  • If an immediate update is not possible, restrict or block access to ALSA devices (e.g., /dev/snd/*) via ACLs or policies to reduce the chance of concurrent drain operations
  • Continuously monitor kernel logs and ALSA‑related events for crashes or anomalies and investigate promptly

Generated by OpenCVE AI on May 11, 2026 at 09:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*

Mon, 11 May 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 09 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lifetime. A concurrent close() on the linked stream's fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer. Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released.
Title ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:34.477Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43437

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:56.037

Modified: 2026-05-21T17:41:41.273

Link: CVE-2026-43437

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43437 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T09:45:07Z

Weaknesses