PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46143 Linux CVE debrief

A memory leak vulnerability exists in the Qualcomm ASoC (ALSA System on Chip) q6apm-lpass-dai driver within the Linux kernel. The issue occurs because the driver's prepare callback can be invoked multiple times during playback operations, resulting in repeated graph opens without proper state tracking. Each redundant graph open allocates resources that are never released, leading to cumulative memory exhaustion over time. The vulnerability is confined to kernel-space memory management and does not provide direct attack vectors for privilege escalation or code execution. Exploitation requires local access to trigger audio playback operations that exercise the vulnerable code path. The fix introduces a state check to prevent multiple graph opens when the audio path is already prepared.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Linux systems with Qualcomm Snapdragon audio subsystems, embedded Linux deployments using LPASS (Low Power Audio SubSystem), and kernel maintainers responsible for stable branch backports

Technical summary

The q6apm-lpass-dai driver in sound/soc/qcom/ fails to track graph open state across multiple prepare() invocations. When userspace triggers audio playback, the prepare callback may be called repeatedly, each invocation opening a new graph context without checking if one already exists. This results in orphaned graph allocations and kernel memory exhaustion. The vulnerability is local-only, requires audio subsystem access, and has no demonstrated exploitability for code execution or privilege escalation. Resolution adds a conditional check to skip graph open when already initialized.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel patches from stable branches once available through distribution channels
  • Monitor NVD for CVSS scoring updates as analysis completes
  • Review audio subsystem configurations for systems using Qualcomm LPASS hardware
  • Validate kernel version against patched releases: 3141d8b00cad, 69acc488aaf3, 7cab9f2ad51c, b97493f0f42a, c91b7bcc7034

Evidence notes

Vulnerability description confirms memory leak via multiple graph opens in ASoC qcom q6apm-lpass-dai driver. Five stable kernel commits provided indicate backports to multiple kernel versions. No CVSS score assigned; NVD status 'Awaiting Analysis'. No KEV listing. Vendor identification marked low confidence with review flag.

Official resources

2026-05-28