Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams

snd_pcm_drain() uses init_waitqueue_entry which does not clear
entry.prev/next, and add_wait_queue with a conditional
remove_wait_queue that is skipped when to_check is no longer
in the group after concurrent UNLINK. The orphaned wait entry
remains on the unlinked substream sleep queue. On the next
drain iteration, add_wait_queue adds the entry to a new queue
while still linked on the old one, corrupting both lists. A
subsequent wake_up dereferences NULL at the func pointer
(mapped from the spinlock at offset 0 of the misinterpreted
wait_queue_head_t), causing a kernel panic.

Replace init_waitqueue_entry/add_wait_queue/conditional
remove_wait_queue with init_wait_entry/prepare_to_wait/
finish_wait. init_wait_entry clears prev/next via
INIT_LIST_HEAD on each iteration and sets
autoremove_wake_function which auto-removes the entry on
wake-up. finish_wait safely handles both the already-removed
and still-queued cases.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the ALSA PCM subsystem of the Linux kernel. When snd_pcm_drain() is called on a linked stream, the routine incorrectly adds a wait‑queue entry that is not properly initialized. If the stream is concurrently unlinked, the orphaned wait entry remains attached to the old sleep queue. Subsequent drain operations add the same entry to a new queue while it is still on the old one, corrupting both linked lists. When the kernel later attempts to wake and dereference the mis‑linked entry, it accesses a NULL function pointer, causing a kernel panic. This leads to a denial‑of‑service condition that can bring the entire system down.

Affected Systems

All Linux kernel releases before the patch are affected. The flaw appears in the ALSA component of the generic Linux kernel and is independent of distribution. The kernel source shows the commit replacing init_waitqueue_entry/add_wait_queue with init_wait_entry/prepare_to_wait/finish_wait; the fix is included in mainline from an unspecified commit date. Therefore any Linux system running a kernel version earlier than the merged commit is vulnerable.

Risk and Exploitability

The precise CVSS score is not listed, but a kernel panic is a severe outcome. Exploitation likely requires local access to trigger snd_pcm_drain() on a linked stream while it is concurrently unlinked, by an untrusted audio application. Because the vulnerability is triggered by normal audio operations, an attacker with local permissions could potentially cause the crash. The EPSS score is unavailable, and the vulnerability is not in the CISA KEV catalog, so no active exploit is publicly known. Nevertheless, the high impact warrants urgent patching, especially in environments that expose the ALSA subsystem to untrusted users or remote code.

Generated by OpenCVE AI on June 25, 2026 at 11:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the fix for snd_pcm_drain() wait‑queue handling.
  • Reboot the system or reload the ALSA module after the kernel update to ensure the new code is active.
  • If an immediate kernel upgrade is not possible, restrict or sandbox applications that perform snd_pcm_drain() on linked streams and monitor for any kernel panic logs.

Generated by OpenCVE AI on June 25, 2026 at 11:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic. Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases.
Title ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:37.129Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53242

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T11:15:10Z

Weaknesses