Skip to main content

Linux Kernel EUVDEUVD-2026-27687

| CVE-2026-43126 HIGH
2026-05-06 Linux GHSA-3m8w-q233-vhrp
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:29 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: mixer: oss: Add card disconnect checkpoints

ALSA OSS mixer layer calls the kcontrol ops rather individually, and pending calls might be not always caught at disconnecting the device.

For avoiding the potential UAF scenarios, add sanity checks of the card disconnection at each entry point of OSS mixer accesses. The rwsem is taken just before that check, hence the rest context should be covered by that properly.

AnalysisAI

Use-after-free in Linux kernel ALSA OSS mixer allows authenticated local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient card disconnection checks when OSS mixer layer calls kcontrol operations individually, creating a race condition window where pending calls continue after device removal. Upstream patches available across kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no KEV listing or public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the Advanced Linux Sound Architecture (ALSA) subsystem, specifically the Open Sound System (OSS) compatibility mixer layer (sound/core/oss/mixer_oss.c). The OSS mixer provides backward compatibility for legacy OSS applications on modern Linux systems. The issue arises because the OSS mixer layer invokes kernel control operations (kcontrol ops) individually without atomic guarantees around device lifecycle management. When a sound card is disconnected (physically removed or driver unload), pending mixer operations may complete after the underlying data structures are freed, creating a use-after-free condition. The patch series adds rwsem-protected card disconnection checkpoints at each OSS mixer entry point to serialize access and prevent UAF scenarios. This represents a classic time-of-check-to-time-of-use (TOCTOU) race condition in driver cleanup paths, where the gap between checking device validity and using device resources creates exploitable windows.

RemediationAI

Update to patched Linux kernel versions: 6.12.75 or later in 6.12.x series, 6.18.16+ in 6.18.x series, 6.19.6+ in 6.19.x series, or upgrade to kernel 7.0 mainline. Patches linked from upstream Git stable repository at references above implement rwsem-protected card disconnection checks at OSS mixer entry points. For systems unable to upgrade immediately, disable OSS emulation if not required for legacy application compatibility by setting kernel module parameter options snd-mixer-oss to disabled or blacklisting snd-mixer-oss module entirely (echo 'blacklist snd-mixer-oss' >> /etc/modprobe.d/disable-oss.conf; update-initramfs -u). Note this breaks applications expecting /dev/mixer OSS device nodes. Alternatively, restrict unprivileged access to sound card hotplug capabilities via udev rules limiting USB audio device permissions to trusted users only, though this reduces usability and does not eliminate insider threat scenarios. Namespace isolation (user namespaces, containers) provides defense-in-depth by limiting post-exploitation impact but does not prevent local kernel exploitation. Verify patches applied via dmesg or kernel version string matching expected patched versions from EUVD advisory.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27687 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy