CVE-2026-43437

Summary

In the Linux kernel, the following vulnerability has been resolved:

ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()

In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lifetime.

A concurrent close() on the linked stream's fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer.

Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf2b3614cefb61ee6046a0aaee503ee37f227d310 < 9baee36e8c5443411c4629afabafaff8a46a23fdaffected
LinuxLinuxf2b3614cefb61ee6046a0aaee503ee37f227d310 < fc71f888994569f87d5bee20b1ac6c9c1e3a7a79affected
LinuxLinuxf2b3614cefb61ee6046a0aaee503ee37f227d310 < 629cf09464cf98670996ea5c191dc9743e6f3f00affected
LinuxLinuxf2b3614cefb61ee6046a0aaee503ee37f227d310 < ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432affected
LinuxLinuxf2b3614cefb61ee6046a0aaee503ee37f227d310 < 4a758e9a1f5ed722f83c4dd35f867fe811553bcbaffected
LinuxLinuxf2b3614cefb61ee6046a0aaee503ee37f227d310 < c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694affected
LinuxLinuxf2b3614cefb61ee6046a0aaee503ee37f227d310 < 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6affected
LinuxLinux3.0affected
LinuxLinux0 < 3.0unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.78 <= 6.12.*unaffected
LinuxLinux6.18.19 <= 6.18.*unaffected
LinuxLinux6.19.9 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References