CVE-2026-45963 Linux CVE debrief

Who should care

Linux system administrators managing audio-enabled systems, particularly Valve Steam Deck (Jupiter) devices and other hardware using the NAU8821 codec; kernel maintainers and distribution packagers responsible for stable kernel updates

Technical summary

The NAU8821 audio codec driver in the Linux kernel's ALSA SoC subsystem fails to properly synchronize its jack detection delayed work (nau8821_jdet_work) with driver removal. When the component driver is unloaded while jack detection work is pending, the workqueue item may execute after the driver's data structures have been freed. The resulting use-after-free manifests as a page fault in __mutex_lock when the work item calls snd_soc_dapm_disable_pin. The fix implements proper cancellation of unscheduled work or synchronous waiting for completion during component removal, preventing the race condition.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches 3955767ec39d and dbd3fd05cddf from stable kernel trees
• Update to kernel version containing the fix once released by distribution
• Avoid unloading nau8821 driver module while audio jack detection is active as temporary mitigation
• Monitor kernel logs for nau8821_jdet_work crashes indicating exploitation attempts

Evidence notes

Vulnerability confirmed via kernel commit messages and stack trace in CVE description. Affects Valve Jupiter hardware (Steam Deck) per hardware name in oops log. Patch commits 3955767ec39d and dbd3fd05cddf address stable kernel branches.

Official resources