CVE-2026-46090 in Linuxinformation

Résumé

par MITRE • 27/05/2026

In the Linux kernel, the following vulnerability has been resolved:

ALSA: aloop: Fix peer runtime UAF during format-change stop

loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock.

A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a stale peer substream pointer.

Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

Linux

Réserver

13/05/2026

Divulgation

27/05/2026

Modérer

accepté

Entrée

VDB-366313

CPE

prêt

EPSS

0.00013

KEV

non

Activités

très faible

Secteur

Hospital, Homeoffice, ...

Sources

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-46090
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-46090
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-46090/

PrécédentAperçuSuivant

Do you need the next level of professionalism?

Upgrade your account now!