CVE-2026-46157 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and organizations running workloads with ALSA OSS compatibility enabled, particularly in multi-tenant or high-concurrency audio processing environments

Technical summary

The vulnerability exists in the ALSA (Advanced Linux Sound Architecture) PCM subsystem's OSS compatibility layer. The `runtime.oss.trigger` bit field was accessed without proper synchronization, creating a data race condition. Because bit fields share storage units, concurrent writes to `trigger` could inadvertently modify adjacent bit fields, causing operational confusion. The resolution involves extending the existing `params_lock` mutex coverage to protect read and write operations on `runtime.oss.trigger` in `snd_pcm_oss_get_trigger()` and `snd_pcm_oss_poll()` functions.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor vendor security advisories for kernel package updates addressing CVE-2026-46157
• If running systems with ALSA OSS compatibility enabled, prioritize patching on multi-user or containerized environments where concurrent audio access may occur
• Review system logs for unexpected ALSA/OSS-related errors that could indicate trigger state corruption

Evidence notes

The CVE description and kernel commit references confirm this is a data race in ALSA PCM OSS code, resolved by adding mutex protection. Multiple stable kernel branch commits are referenced, indicating backports to supported releases.

Official resources