CVE-2026-46090 (GCVE-0-2026-46090)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:58 – Updated: 2026-05-27 12:58
VLAI
Title
ALSA: aloop: Fix peer runtime UAF during format-change stop
Summary
In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer. Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < 03f52a9c170431e8f10e156b9dc0dae80b3e9198 (git)
Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c (git)
Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < 5d45e34bf001344e2966dabca1897561bbc9e913 (git)
Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff (git)
Create a notification for this product.
Linux Linux Affected: 2.6.37
Unaffected: 0 , < 2.6.37 (semver)
Unaffected: 6.12.88 , ≤ 6.12.* (semver)
Unaffected: 6.18.27 , ≤ 6.18.* (semver)
Unaffected: 7.0.4 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/drivers/aloop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "03f52a9c170431e8f10e156b9dc0dae80b3e9198",
              "status": "affected",
              "version": "597603d615d2b19a9e451d8cfac24372856a522d",
              "versionType": "git"
            },
            {
              "lessThan": "bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c",
              "status": "affected",
              "version": "597603d615d2b19a9e451d8cfac24372856a522d",
              "versionType": "git"
            },
            {
              "lessThan": "5d45e34bf001344e2966dabca1897561bbc9e913",
              "status": "affected",
              "version": "597603d615d2b19a9e451d8cfac24372856a522d",
              "versionType": "git"
            },
            {
              "lessThan": "e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff",
              "status": "affected",
              "version": "597603d615d2b19a9e451d8cfac24372856a522d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/drivers/aloop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.37"
            },
            {
              "lessThan": "2.6.37",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.27",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.27",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc2",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix peer runtime UAF during format-change stop\n\nloopback_check_format() may stop the capture side when playback starts\nwith parameters that no longer match a running capture stream. Commit\n826af7fa62e3 (\"ALSA: aloop: Fix racy access at PCM trigger\") moved\nthe peer lookup under cable-\u003elock, but the actual snd_pcm_stop() still\nruns after dropping that lock.\n\nA concurrent close can clear the capture entry from cable-\u003estreams[] and\ndetach or free its runtime while the playback trigger path still holds a\nstale peer substream pointer.\n\nKeep a per-cable count of in-flight peer stops before dropping\ncable-\u003elock, and make free_cable() wait for those stops before\ndetaching the runtime. This preserves the existing behavior while\nmaking the peer runtime lifetime explicit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:58:34.428Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/03f52a9c170431e8f10e156b9dc0dae80b3e9198"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d45e34bf001344e2966dabca1897561bbc9e913"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff"
        }
      ],
      "title": "ALSA: aloop: Fix peer runtime UAF during format-change stop",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46090",
    "datePublished": "2026-05-27T12:58:34.428Z",
    "dateReserved": "2026-05-13T15:03:33.097Z",
    "dateUpdated": "2026-05-27T12:58:34.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46090",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.04919"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46090\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:30.547\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nALSA: aloop: Fix peer runtime UAF during format-change stop\\n\\nloopback_check_format() may stop the capture side when playback starts\\nwith parameters that no longer match a running capture stream. Commit\\n826af7fa62e3 (\\\"ALSA: aloop: Fix racy access at PCM trigger\\\") moved\\nthe peer lookup under cable-\u003elock, but the actual snd_pcm_stop() still\\nruns after dropping that lock.\\n\\nA concurrent close can clear the capture entry from cable-\u003estreams[] and\\ndetach or free its runtime while the playback trigger path still holds a\\nstale peer substream pointer.\\n\\nKeep a per-cable count of in-flight peer stops before dropping\\ncable-\u003elock, and make free_cable() wait for those stops before\\ndetaching the runtime. This preserves the existing behavior while\\nmaking the peer runtime lifetime explicit.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/03f52a9c170431e8f10e156b9dc0dae80b3e9198\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5d45e34bf001344e2966dabca1897561bbc9e913\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.