Skip to main content

Linux Kernel CVE-2026-46157

| EUVDEUVD-2026-32784 HIGH
Race Condition (CWE-362)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-27pv-w59x-hr4j
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:58 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger

Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race. And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.

Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().

AnalysisAI

Local privilege escalation risk in the Linux kernel's ALSA PCM OSS emulation layer stems from an unprotected concurrent access to the runtime.oss.trigger bit field, allowing racing writes to corrupt adjacent bit fields and destabilize sound device state. The flaw affects Linux kernel versions prior to 6.12.88, 6.18.30, and 7.0.7, and was discovered through fuzzing; no public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible probability of opportunistic exploitation.

Technical ContextAI

The vulnerability resides in the sound/core/oss/pcm_oss.c subsystem of the Linux kernel, which provides legacy Open Sound System (OSS) emulation atop ALSA's PCM (Pulse-Code Modulation) audio interface. The runtime.oss.trigger field is a single bit within a packed C bit field structure; in snd_pcm_oss_get_trigger() and snd_pcm_oss_poll(), it was read/written without holding the params_lock mutex that protects the surrounding state. Because CPU memory writes to bit fields are implemented as read-modify-write of the enclosing word, concurrent unsynchronized writes can clobber neighboring bits - a classic data race (CWE-362, Concurrent Execution using Shared Resource with Improper Synchronization), even though the CVE record lists CWE as N/A. The fix extends params_lock coverage to these two accessor paths.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.12.88, 6.18.30, 7.0.7, or 7.1-rc2 (or later) on the appropriate stable branch; the upstream fix commits are 49f9d048845b, 901ac0ff15ed, 6b01c1bc9a47, and ac3e9b55b7da on https://git.kernel.org/stable/c/. Distribution users should track their vendor's kernel security advisories (Red Hat, SUSE, Debian, Ubuntu) and apply the rebuilt package when available. As a compensating control until patching, restrict local access to OSS PCM device nodes by tightening permissions on /dev/dsp*, /dev/audio*, /dev/mixer* and the corresponding /dev/snd/pcm* nodes (root-only or audio-group only), or unload/blacklist the snd-pcm-oss module via 'echo blacklist snd-pcm-oss >> /etc/modprobe.d/blacklist-oss.conf' - side effect is that legacy applications still using OSS emulation will lose audio playback/capture, but modern ALSA and PulseAudio/PipeWire clients are unaffected.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy