CVE-2026-43437 Linux CVE debrief

Who should care

Linux kernel maintainers, distro kernel teams, embedded/OEM platform owners, and operators of systems that expose ALSA PCM audio interfaces to local users or local services. This is especially relevant for fleets running downstream kernels in affected stable series.

Technical summary

In snd_pcm_drain(), the code assigns the local runtime pointer to a linked stream’s runtime, then drops the stream lock and later reads runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size. NVD classifies the weakness as CWE-416 (use-after-free). The race is exploitable only through local interaction: a concurrent close() on the linked stream can follow snd_pcm_release_substream() -> snd_pcm_drop() -> pcm_release_private() -> snd_pcm_unlink() -> snd_pcm_detach_substream() -> kfree(runtime), leaving the drain path with a freed runtime pointer. The kernel fix is to copy the required fields while still holding the lock and use the cached values after unlock.

Defensive priority

High. The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a local, low-complexity flaw with high confidentiality, integrity, and availability impact once reachable on an affected system.

Recommended defensive actions

• Apply the upstream/stable kernel fixes referenced by the official kernel.org patch links for CVE-2026-43437.
• Update downstream kernels to versions that include the fix; NVD marks affected ranges across 3.0-5.10.253, 5.11-6.1.167, 6.2-6.6.130, 6.7-6.12.78, 6.13-6.18.19, 6.19-6.19.9, and 7.0-rc1 through rc3.
• Prioritize systems where untrusted local users, containers with host kernel access, or desktop/audio workloads can reach ALSA PCM devices.
• Validate vendor backports against the upstream patch behavior: cached runtime field copies must be taken before the lock is released.
• Track exposure as a local-kernel issue rather than a network-facing one; focus remediation on host kernel rollout and reboot coordination.

Evidence notes

Evidence is limited to the supplied CVE record and official references. The CVE description states that runtime is reassigned to a linked stream’s runtime, then accessed after lock release, and that a concurrent close() path can free runtime before those dereferences. NVD lists CWE-416 and CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Official kernel.org stable patch references are provided in the record: 4a758e9a1f5ed722f83c4dd35f867fe811553bcb, 629cf09464cf98670996ea5c191dc9743e6f3f00, 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6, 9baee36e8c5443411c4629afabafaff8a46a23fd, ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432, c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694, and fc71f888994569f87d5bee20b1ac6c9c1e3a7a79.

Official resources