Skip to main content

Linux Kernel CVE-2026-43459

| EUVDEUVD-2026-28765 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-6hfg-rmc6-8cvm
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:37 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.3 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 14:22 nvd
HIGH 7.3

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ASoC: soc-core: flush delayed work before removing DAIs and widgets

When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler.

During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free.

The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets.

Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses).

AnalysisAI

Use-after-free in Linux kernel ASoC (ALSA System on Chip) subsystem allows local authenticated users with open audio streams to trigger memory corruption during sound card unbind operations. The flaw occurs when PCM stream closure schedules delayed DAPM (Dynamic Audio Power Management) work after widgets are freed, enabling potential privilege escalation or denial of service. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public POC identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Linux kernel's ASoC (ALSA System on Chip) framework, specifically in the sound card unbind path (soc-core.c). ASoC manages audio hardware through Digital Audio Interfaces (DAIs) and DAPM widgets that control power states. The race condition occurs between card teardown and delayed work execution: when snd_card_disconnect_sync() closes PCM file descriptors during unbind, the resulting PCM close can invoke snd_soc_dapm_stream_stop() which schedules close_delayed_work with a pmdown_time timer. This new work is scheduled after snd_soc_unbind_card() has already flushed pending work, and fires after soc_remove_link_components() has freed the DAPM widgets that snd_soc_dapm_stream_event() will attempt to access. The existing flush in soc_free_pcm_runtime() cannot prevent this as it executes after widget destruction. CPE data confirms this affects the core Linux kernel audio subsystem introduced in commit e894efef9ac7 (v4.20 timeframe).

RemediationAI

Upgrade to patched kernel versions: 5.10.253 (for 5.10.x LTS users), 5.15.203 (5.15.x LTS), 6.1.167 (6.1.x LTS), 6.6.130 (6.6.x stable), 6.12.78 (6.12.x stable), 6.18.19 (6.18.x stable), 6.19.9 (6.19.x stable), or 7.0+ (mainline). Distribution-specific updates: monitor security advisories from Red Hat (RHEL/CentOS), Ubuntu, Debian, SUSE for backported fixes in their kernel packages. Mainline patch commit bf80a89da97285d9b877e0c6995e870d46b8025c adds flush_delayed_work() in soc_cleanup_card_resources() after snd_card_disconnect_sync() to prevent the race. Workaround for systems unable to patch immediately: restrict local user access to audio devices via udev rules or system policies, though this may break legitimate audio functionality. Disable ASoC drivers for non-essential audio hardware (modprobe blacklist), accepting loss of that hardware's functionality. Monitor for unexpected audio driver unbind events in system logs as potential exploitation indicator. No effective runtime mitigation exists that preserves full audio functionality without kernel update.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy