Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()

In the drain loop, the local variable 'runtime' is reassigned to a
linked stream's runtime (runtime = s->runtime at line 2157). After
releasing the stream lock at line 2169, the code accesses
runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
(lines 2170-2178) — all referencing the linked stream's runtime without
any lock or refcount protecting its lifetime.

A concurrent close() on the linked stream's fd triggers
snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).
No synchronization prevents kfree(runtime) from completing while the
drain path dereferences the stale pointer.

Fix by caching the needed runtime fields (no_period_wakeup, rate,
buffer_size) into local variables while still holding the stream lock,
and using the cached values after the lock is released.
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw touches the ALSA subsystem in the Linux kernel. During a pcm drain operation, a stream's runtime pointer is reused after its lock is released and a concurrent close frees the runtime structure, leaving a stale pointer that is dereferenced. This use‑after‑free can corrupt memory and, depending on context, may allow an attacker to execute arbitrary code or cause a crash.

Affected Systems

All Linux kernel builds that include the relevant ALSA source code around pcm drain (lines near 2150–2180) are potentially affected until the fix is applied. The issue is not limited to a particular version, as the patch applies to current and future builds.

Risk and Exploitability

The CVSS score of 7.0 classifies the vulnerability as high severity. Because the dereference occurs without any synchronization, the exploitability is considered high once a user or process can trigger a drain while the stream is concurrently closed. No publicly available exploit exists, but the EPSS score of 0.00024 (<1%) indicates a very low yet non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the lack of locking for a runtime structure presents a critical risk that could be leveraged locally to corrupt kernel memory or gain elevated privileges.

Generated by OpenCVE AI on May 9, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that contains the ALSA use‑after‑free fix
  • If an immediate update is not possible, restrict or block access to ALSA devices (e.g., /dev/snd/*) via ACLs or policies to reduce the chance of concurrent drain operations
  • Continuously monitor kernel logs and ALSA‑related events for crashes or anomalies and investigate promptly

Generated by OpenCVE AI on May 9, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lifetime. A concurrent close() on the linked stream's fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer. Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released.
Title ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:07.314Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43437

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:56.037

Modified: 2026-05-08T15:16:56.037

Link: CVE-2026-43437

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43437 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses