CVE-2026-43459
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel Sound Card Unbinding

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43459
EUVD
EUVD-2026-28765
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 4.20 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's ASoC (ALSA System on Chip) soc-core component related to sound card handling. Specifically, when a sound card is unbound while a PCM (Pulse Code Modulation) stream is still open, a use-after-free condition can happen in the function snd_soc_dapm_stream_event().

The issue arises because during the unbind process, delayed work is flushed before certain cleanup steps. However, after flushing, new delayed work can be scheduled due to PCM stream closure activities. Since this new work is not flushed, the system frees DAPM (Dynamic Audio Power Management) widgets before the delayed work executes, leading to use-after-free errors.

The fix involves adding an additional flush of delayed work after disconnecting PCM file descriptors and before removing link components and DAIs (Digital Audio Interfaces), ensuring no delayed work accesses freed structures.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's sound subsystem, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.

Since it involves kernel memory management errors, exploitation could compromise the security and reliability of systems using affected Linux kernel versions, especially those handling audio devices.

Mitigation Strategies

The vulnerability is resolved by applying a patch to the Linux kernel that adds a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() and before soc_remove_link_dais() and soc_remove_link_components().

Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43459. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart