PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46090 Linux CVE debrief

A use-after-free (UAF) vulnerability in the Linux kernel's ALSA loopback driver (aloop) could allow local attackers to trigger memory corruption. The flaw exists in loopback_check_format(), which may stop the capture side when playback starts with mismatched parameters. While a prior commit moved peer lookup under cable->lock, the snd_pcm_stop() call still executes after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path holds a stale peer substream pointer. The fix introduces a per-cable count of in-flight peer stops before dropping cable->lock, with free_cable() waiting for those stops before detaching the runtime.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators, kernel maintainers, security teams managing multi-user Linux environments, and organizations relying on ALSA loopback functionality for audio routing or testing.

Technical summary

The ALSA loopback driver (sound/drivers/aloop.c) contains a race condition in loopback_check_format() where snd_pcm_stop() on a peer capture stream can execute after dropping cable->lock. If a concurrent close clears cable->streams[] and frees the capture runtime, the playback trigger path dereferences a stale peer substream pointer. The vulnerability is a use-after-free affecting kernel memory integrity. The fix adds a per-cable in-flight stop counter and makes free_cable() wait for pending stops, ensuring the peer runtime remains valid until all stop operations complete.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches when available
  • Monitor distribution security advisories for updated kernel packages
  • Restrict local access to systems where untrusted users can access ALSA loopback devices
  • Review systems using audio loopback functionality for unusual stability issues
  • Consider disabling ALSA loopback module (snd-aloop) on systems where not required until patched

Evidence notes

Vulnerability description confirms UAF in ALSA aloop driver during format-change stop operations. Fix involves reference counting for in-flight peer stops to prevent race condition between snd_pcm_stop() and concurrent close operations.

Official resources

2026-05-27