PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43459 Linux CVE debrief

CVE-2026-43459 is a Linux kernel use-after-free in the ASoC soc-core path that can occur during sound card unbind when a PCM stream is still open. The issue is reached through delayed work in the PCM close path and is rated HIGH by NVD with local access, low privileges, and user interaction required. The CVE was published on 2026-05-08 and later modified on 2026-05-21.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux administrators, OEMs, distro maintainers, and device vendors running affected Linux kernel branches that use the ALSA ASoC/PCM audio stack should prioritize this issue. Security teams should pay special attention where local users can interact with audio devices or trigger PCM open/close activity.

Technical summary

According to the CVE description, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). During cleanup, snd_card_disconnect_sync() can release PCM file descriptors, and the PCM close path may schedule new delayed work via snd_soc_dapm_stream_stop() with a pmdown_time delay. Because that new work is scheduled after the earlier flush, it may fire after soc_remove_link_components() has already freed DAPM widgets, leading to a use-after-free in snd_soc_dapm_stream_event(). The described fix adds another flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() and before DAI/widget teardown. NVD classifies the weakness as CWE-416.

Defensive priority

High for affected Linux kernel deployments; apply vendor or upstream fixes as soon as practical.

Recommended defensive actions

  • Upgrade to a kernel version that includes the upstream fix for CVE-2026-43459.
  • Apply the referenced stable kernel patches for the affected release branches if you cannot upgrade immediately.
  • Prioritize systems on the affected Linux kernel version ranges listed by NVD, including the 4.20, 5.11, 5.16, 6.2, 6.7, 6.13, 6.19, and 7.0-rc branches where applicable.
  • Review local-access exposure on systems where untrusted users can interact with ALSA/PCM audio devices.
  • Track downstream vendor advisories and confirm that the fix is present in your distro or device kernel build.

Evidence notes

The supplied CVE description states that a use-after-free can occur in snd_soc_dapm_stream_event() when a sound card is unbound while a PCM stream is open. It explains that snd_card_disconnect_sync() can cause PCM close paths to schedule new delayed work after an initial flush in snd_soc_unbind_card(), and that soc_remove_link_components() can free DAPM widgets before that work runs. The description also states that the fix is to add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() and before removing DAIs and widgets. NVD lists the weakness as CWE-416 and provides multiple kernel patch references, along with affected version ranges in its CPE criteria.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-08; NVD last modified the record on 2026-05-21. The source corpus does not include separate embargo or vendor disclosure timing.