Description
In the Linux kernel, the following vulnerability has been resolved:

ASoC: soc-core: flush delayed work before removing DAIs and widgets

When a sound card is unbound while a PCM stream is open, a
use-after-free can occur in snd_soc_dapm_stream_event(), called from
the close_delayed_work workqueue handler.

During unbind, snd_soc_unbind_card() flushes delayed work and then
calls soc_cleanup_card_resources(). Inside cleanup,
snd_card_disconnect_sync() releases all PCM file descriptors, and
the resulting PCM close path can call snd_soc_dapm_stream_stop()
which schedules new delayed work with a pmdown_time timer delay.
Since this happens after the flush in snd_soc_unbind_card(), the
new work is not caught. soc_remove_link_components() then frees
DAPM widgets before this work fires, leading to the use-after-free.

The existing flush in soc_free_pcm_runtime() also cannot help as it
runs after soc_remove_link_components() has already freed the widgets.

Add a flush in soc_cleanup_card_resources() after
snd_card_disconnect_sync() (after which no new PCM closes can
schedule further delayed work) and before soc_remove_link_dais()
and soc_remove_link_components() (which tear down the structures the
delayed work accesses).
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free occurs when a sound card is unbound while a PCM stream is still open, causing delayed work to reference freed DAPM widgets. This memory corruption can lead to a system crash or potentially allow an attacker to execute arbitrary code in kernel mode. The weakness is a classic use‑after‑free flaw, classified as CWE-416.

Affected Systems

The vulnerability affects the Linux kernel’s ALSA ASoC subsystem. No specific kernel releases are listed, so all distributions shipping a kernel that contains the vulnerable code are potentially impacted.

Risk and Exploitability

The CVSS score is 7.0, indicating a high severity. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be local privileged, as the issue requires an attacker to unbind the sound card while a PCM stream is open—a capability normally restricted to kernel or root processes. The lack of publicly demonstrated exploitation nor an available exploit reduces the immediate risk, but the severity of a use‑after‑free in kernel space warrants a timely response.

Generated by OpenCVE AI on May 9, 2026 at 13:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that includes the patch for this use‑after‑free flaw.
  • If an update is not yet available, avoid unbinding sound cards while any PCM streams are active; ensure all audio streams are stopped before proceeding with unbind procedures.
  • As a temporary measure, restart the ALSA subsystem or reboot the system to clear pending delayed work before performing card removal.

Generated by OpenCVE AI on May 9, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses).
Title ASoC: soc-core: flush delayed work before removing DAIs and widgets
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:22.651Z

Reserved: 2026-05-01T14:12:56.010Z

Link: CVE-2026-43459

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:58.753

Modified: 2026-05-08T15:16:58.753

Link: CVE-2026-43459

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43459 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T13:45:34Z

Weaknesses