CVE-2026-46090
Modified
Modified - Updated After Analysis
Use-After-Free in Linux Kernel ALSA Loopback Device
Vulnerability report for CVE-2026-46090, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-27
Last updated on: 2026-07-06
Assigner: kernel.org
Description
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix peer runtime UAF during format-change stop
loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.
A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.
Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.1 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.27 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 7.0.4 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.210 (exc) |
| linux | linux_kernel | From 2.6.37 (inc) to 5.10.259 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.12.88 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-364 | The product uses a signal handler that introduces a race condition. |