CVE-2026-43459
Received Received - Intake
Use-After-Free in Linux Kernel Sound Card Unbinding

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43459
EUVD
EUVD-2026-28765
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's ASoC (ALSA System on Chip) soc-core component related to sound card handling. Specifically, when a sound card is unbound while a PCM (Pulse Code Modulation) stream is still open, a use-after-free condition can happen in the function snd_soc_dapm_stream_event().

The issue arises because during the unbind process, delayed work is flushed before certain cleanup steps. However, after flushing, new delayed work can be scheduled due to PCM stream closure activities. Since this new work is not flushed, the system frees DAPM (Dynamic Audio Power Management) widgets before the delayed work executes, leading to use-after-free errors.

The fix involves adding an additional flush of delayed work after disconnecting PCM file descriptors and before removing link components and DAIs (Digital Audio Interfaces), ensuring no delayed work accesses freed structures.


How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the Linux kernel's sound subsystem, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.

Since it involves kernel memory management errors, exploitation could compromise the security and reliability of systems using affected Linux kernel versions, especially those handling audio devices.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by applying a patch to the Linux kernel that adds a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() and before soc_remove_link_dais() and soc_remove_link_components().

Therefore, the immediate mitigation step is to update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart