CVE-2026-43459 - Vulnerability Details

- ASoC: soc-core: flush delayed work before removing DAIs and widgets

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: soc-core: flush delayed work before removing DAIs and widgets

When a sound card is unbound while a PCM stream is open, a
use-after-free can occur in snd_soc_dapm_stream_event(), called from
the close_delayed_work workqueue handler.

During unbind, snd_soc_unbind_card() flushes delayed work and then
calls soc_cleanup_card_resources(). Inside cleanup,
snd_card_disconnect_sync() releases all PCM file descriptors, and
the resulting PCM close path can call snd_soc_dapm_stream_stop()
which schedules new delayed work with a pmdown_time timer delay.
Since this happens after the flush in snd_soc_unbind_card(), the
new work is not caught. soc_remove_link_components() then frees
DAPM widgets before this work fires, leading to the use-after-free.

The existing flush in soc_free_pcm_runtime() also cannot help as it
runs after soc_remove_link_components() has already freed the widgets.

Add a flush in soc_cleanup_card_resources() after
snd_card_disconnect_sync() (after which no new PCM closes can
schedule further delayed work) and before soc_remove_link_dais()
and soc_remove_link_components() (which tear down the structures the
delayed work accesses).

Published: 2026-05-08

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The ALSA ASoC subsystem in the Linux kernel has a flaw that can cause a use‑after‑free when a sound card is unbound while audio streams are still active. The vulnerability occurs in the delayed‑work routine scheduled during the card unbinding process, which may reference DAPM widgets that have already been freed. A successful exploitation could corrupt kernel memory or lead to arbitrary code execution, and the impact is encapsulated by the CVSS score of 7.3.

Affected Systems

All Linux kernel builds that include the ALSA ASoC core before the posted fix are affected. The CPE data lists Linux kernel versions 7.0 releases candidates (RC1, RC2, RC3) and other kernels over that tree. Any distribution shipping an unpatched kernel with the vulnerable ASoC implementation is at risk.

Risk and Exploitability

The vulnerability is a local‑only issue; an attacker must trigger the unbind while streams are open, which normally requires local or root privileges. The EPSS score is less than 1 %, indicating a low probability of immediate exploitation. The vulnerability is not in CISA’s KEV set, and no public exploits are known. If successfully triggered, the use‑after‑free can lead to kernel panic or error codes, or if an attacker gains control, to escalated privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e894efef9ac7c10b7727798dcc711cccf07569f9`	affected	< bf80a89da97285d9b877e0c6995e870d46b8025c
`e894efef9ac7c10b7727798dcc711cccf07569f9`	affected	< 3887e514978d28216246360b46a9cb534969eb5a
`e894efef9ac7c10b7727798dcc711cccf07569f9`	affected	< 231568afbc0cd25b8fb2a94ebf9738eabe1cf007
`e894efef9ac7c10b7727798dcc711cccf07569f9`	affected	< 317a9298c54bb00319da73e5a7179f00e67fcbdf
`e894efef9ac7c10b7727798dcc711cccf07569f9`	affected	< eab71e11ce2447c1e01809cbc11eab4234cf8dc8
`e894efef9ac7c10b7727798dcc711cccf07569f9`	affected	< 7d33e6140945482a07f8089ee86e13e02553ffdb
`e894efef9ac7c10b7727798dcc711cccf07569f9`	affected	< c054f0607c8bb1b1aa529bc109e4149298a1cccd
`e894efef9ac7c10b7727798dcc711cccf07569f9`	affected	< 95bc5c225513fc3c4ce169563fb5e3929fbb938b

Linux

affected

Version	Status	Constraints
`4.20`	affected	—
`0`	unaffected	< 4.20
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[e894efef9ac7c10b7727798dcc711cccf07569f9,bf80a89da97285d9b877e0c6995e870d46b8025c)`	affected	code_commit	—
`[e894efef9ac7c10b7727798dcc711cccf07569f9,3887e514978d28216246360b46a9cb534969eb5a)`	affected	code_commit	—
`[e894efef9ac7c10b7727798dcc711cccf07569f9,231568afbc0cd25b8fb2a94ebf9738eabe1cf007)`	affected	code_commit	—
`[e894efef9ac7c10b7727798dcc711cccf07569f9,317a9298c54bb00319da73e5a7179f00e67fcbdf)`	affected	code_commit	—
`[e894efef9ac7c10b7727798dcc711cccf07569f9,eab71e11ce2447c1e01809cbc11eab4234cf8dc8)`	affected	code_commit	—
`[e894efef9ac7c10b7727798dcc711cccf07569f9,7d33e6140945482a07f8089ee86e13e02553ffdb)`	affected	code_commit	—
`[e894efef9ac7c10b7727798dcc711cccf07569f9,c054f0607c8bb1b1aa529bc109e4149298a1cccd)`	affected	code_commit	—
`[e894efef9ac7c10b7727798dcc711cccf07569f9,95bc5c225513fc3c4ce169563fb5e3929fbb938b)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.20`	affected	generic	—
`[0,4.20)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that incorporates the fix for the ASoC use‑after‑free flaw.
If an update cannot be applied immediately, disable or unload the ALSA sound modules to prevent sound card unbinding while streams are active, thereby eliminating the unbind scenario.
For custom or legacy kernels that cannot be updated, manually cherry‑pick the relevant commit(s) from the Linux kernel git tree, rebuild the kernel, and install the patched binaries.

Generated by OpenCVE AI on May 21, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/231568afbc0cd25b8fb2a94ebf9738eabe1cf007
https://git.kernel.org/stable/c/317a9298c54bb00319da73e5a7179f00e67fcbdf
https://git.kernel.org/stable/c/3887e514978d28216246360b46a9cb534969eb5a
https://git.kernel.org/stable/c/7d33e6140945482a07f8089ee86e13e02553ffdb
https://git.kernel.org/stable/c/95bc5c225513fc3c4ce169563fb5e3929fbb938b
https://git.kernel.org/stable/c/bf80a89da97285d9b877e0c6995e870d46b8025c
https://git.kernel.org/stable/c/c054f0607c8bb1b1aa529bc109e4149298a1cccd
https://git.kernel.org/stable/c/eab71e11ce2447c1e01809cbc11eab4234cf8dc8
https://lore.kernel.org/linux-cve-announce/2026050800-CVE-2026-43459-2ed8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43459
https://www.cve.org/CVERecord?id=CVE-2026-43459

History

Thu, 21 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Mon, 11 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}`

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026050800-CVE-2026-43459-2ed8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43459 https://www.cve.org/CVERecord?id=CVE-2026-43459
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses).
Title		ASoC: soc-core: flush delayed work before removing DAIs and widgets
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/231568afbc0cd25b8fb2a94ebf9738eabe1cf007 https://git.kernel.org/stable/c/317a9298c54bb00319da73e5a7179f00e67fcbdf https://git.kernel.org/stable/c/3887e514978d28216246360b46a9cb534969eb5a https://git.kernel.org/stable/c/7d33e6140945482a07f8089ee86e13e02553ffdb https://git.kernel.org/stable/c/95bc5c225513fc3c4ce169563fb5e3929fbb938b https://git.kernel.org/stable/c/bf80a89da97285d9b877e0c6995e870d46b8025c https://git.kernel.org/stable/c/c054f0607c8bb1b1aa529bc109e4149298a1cccd https://git.kernel.org/stable/c/eab71e11ce2447c1e01809cbc11eab4234cf8dc8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:22.651Z

Updated: 2026-05-11T22:24:59.782Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43459

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T15:16:58.753

Modified: 2026-05-21T16:45:58.407

Link: CVE-2026-43459

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43459 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-21T20:15:18Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object