Skip to main content

Linux Kernel CVE-2026-46090

| EUVDEUVD-2026-32473 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w9ff-9cjh-6463
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:45 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: aloop: Fix peer runtime UAF during format-change stop

loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock.

A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer.

Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.

AnalysisAI

Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.

Technical ContextAI

The vulnerability lives in sound/drivers/aloop.c, the ALSA loopback driver that exposes virtual PCM devices linked in 'cables' so a playback stream on one side feeds a capture stream on the other. loopback_check_format() may call snd_pcm_stop() on the peer capture substream when playback parameters change. A prior fix (commit 826af7fa62e3) moved the peer lookup under cable->lock, but the stop call itself executes after the lock is released, creating a TOCTOU window where a concurrent snd_pcm_close() on the peer can clear cable->streams[] and free the runtime structure. The bug is a classic use-after-free (CWE-416 class, though NVD lists CWE as N/A) on per-substream runtime state, fixed by reference-counting in-flight peer stops on the cable and having free_cable() wait for them to drain before detaching the runtime.

RemediationAI

Vendor-released patch: upgrade to Linux 6.12.88, 6.18.27, 7.0.4, 7.1-rc2 or later from your distribution's stable channel; the upstream commits are 03f52a9c170431e8f10e156b9dc0dae80b3e9198, 5d45e34bf001344e2966dabca1897561bbc9e913, bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c, and e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff at git.kernel.org/stable. If patching cannot be scheduled immediately, the most effective compensating control is to unload and blacklist the snd-aloop module (add 'blacklist snd-aloop' under /etc/modprobe.d/ and rmmod snd_aloop) on systems that do not require virtual loopback audio - this fully removes the attack surface but will break PulseAudio/PipeWire loopback configurations, virtual-microphone setups, and audio-routing appliances that depend on it. Where the module must remain loaded, restrict access to /dev/snd/* (typically the 'audio' group) to trusted local users only, accepting that any user already in that group can still trigger the race. Track distribution advisories at vuldb.com/vuln/366313 and the kernel.org stable references above for backport status.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy