CVE-2026-53242
Received Received - Intake
Linux Kernel PCM Substream Wait Queue Corruption

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic. Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53242
EUVD
EUVD-2026-39193
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ALSA PCM subsystem, specifically in the snd_pcm_drain() function handling linked streams.

The issue arises because snd_pcm_drain() uses init_waitqueue_entry which does not clear the entry's prev/next pointers, combined with add_wait_queue and a conditional remove_wait_queue that can be skipped during concurrent unlinking of streams.

As a result, an orphaned wait entry remains on an unlinked substream's sleep queue. On the next drain iteration, add_wait_queue adds this entry to a new queue while it is still linked to the old one, corrupting both wait queues.

This corruption leads to a subsequent wake_up call dereferencing a NULL function pointer (misinterpreted from a spinlock), which causes a kernel panic.

The fix replaces the problematic functions with safer alternatives that clear the prev/next pointers properly and auto-remove wait entries on wake-up, preventing the queue corruption and kernel panic.

Impact Analysis

This vulnerability can cause a kernel panic in the Linux system when using ALSA PCM linked streams, leading to a system crash.

A kernel panic results in an immediate system halt, which can cause loss of unsaved data, service downtime, and potential disruption of critical operations.

If exploited or triggered unintentionally, it could affect system stability and availability, especially in environments relying on audio processing or linked PCM streams.

Mitigation Strategies

This vulnerability in the Linux kernel ALSA PCM subsystem causes kernel panic due to wait queue list corruption in snd_pcm_drain() on linked streams.

To mitigate this vulnerability, update your Linux kernel to a version where this issue is fixed. The fix replaces the use of init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/finish_wait, which properly manages wait queue entries and prevents list corruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53242. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart