Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: aloop: Fix peer runtime UAF during format-change stop

loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.

A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.

Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.
Published: 2026-05-27
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the ALSA loopback driver (aloop) of the Linux kernel, a use‑after‑free can occur when a playback stream is started with parameters that no longer match an active capture stream. The old peer substream pointer remains after the capture side is stopped, causing the kernel to free a runtime that is still in use. This memory corruption is classified as CWE‑364 and can lead to privilege escalation or system crash.

Affected Systems

Affected versions are Linux kernel builds that contain the ALSA loopback driver and lack the fix introduced by commit 826af7fa62e3. Any distribution delivering a kernel before the merge of that commit is potentially vulnerable. Administrators should verify the kernel version and confirm that the aloop module is either upgraded or disabled.

Risk and Exploitability

The CVSS base score of 7.0 indicates high severity, but the EPSS score is not available and the vulnerability is not recorded in the CISA KEV catalog, indicating no known public exploits. Based on the description, it is inferred that an attacker would need local user or audio‑application privileges to trigger concurrent playback and capture streams, which could be used to exploit the race condition. Consequently, the risk is significant for systems that enable audio streaming from untrusted users.

Generated by OpenCVE AI on May 28, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes commit 826af7fa62e3, which contains the CVE‑2026‑46090 fix.
  • If a kernel update cannot be applied immediately, unload the ALSA ‘aloop’ module or otherwise disable loopback audio devices to eliminate the race condition until a patched kernel is available.
  • Restrict audio application privileges or implement SELinux/AppArmor profiles to limit the ability to initiate concurrent capture and playback streams until the vulnerability is resolved.

Generated by OpenCVE AI on May 28, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer. Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.
Title ALSA: aloop: Fix peer runtime UAF during format-change stop
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:58:34.428Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46090

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:30.547

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46090

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46090 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:30:06Z

Weaknesses