Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local PCM-device access (PR:L, AV:L) and a tight drain/unlink race (AC:H); demonstrated impact is a kernel panic, so A:H only with C:N/I:N.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic.
Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases.
AnalysisAI
Kernel panic (denial of service) in the Linux kernel ALSA PCM subsystem occurs when snd_pcm_drain() is called on linked (grouped) audio streams that are concurrently unlinked, corrupting wait queue lists and ultimately dereferencing a NULL function pointer. The flaw stems from init_waitqueue_entry/add_wait_queue not clearing list pointers combined with a conditional remove_wait_queue that is skipped after a concurrent UNLINK, leaving an orphaned wait entry that gets added to two queues at once. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the system and permission to open ALSA PCM character devices under /dev/snd (typically membership in the 'audio' group or equivalent ACLs). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8) rates this High with full CIA impact, but that scoring appears generous for what the description characterizes as wait-queue list corruption culminating in a NULL-pointer kernel panic - the realistic, demonstrated impact is availability loss (system crash/DoS), not confidentiality or integrity compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user with access to /dev/snd opens two PCM playback substreams, links them into a group, and starts a drain on the group while a second thread races a SNDRV_PCM_IOCTL_UNLINK on one substream. Hitting the window where the conditional remove_wait_queue is skipped leaves a corrupted wait-queue list, and the next wake_up dereferences a NULL function pointer, panicking the kernel and taking the host down. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.259, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (and 6.19.x users to 6.20), matching whichever branch you run, as listed in the EUVD/NVD data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory Linux systems running affected kernels with ALSA audio support; verify patch availability from your Linux distributor (Red Hat, Ubuntu, Debian, SUSE, etc.). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39193
GHSA-2p59-xc6p-6w7c