CVE-2026-43437
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lifetime.
A concurrent close() on the linked stream's fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer.
Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/4a758e9a1f5ed722f83c4dd35f867fe811553bcbnvd
- git.kernel.org/stable/c/629cf09464cf98670996ea5c191dc9743e6f3f00nvd
- git.kernel.org/stable/c/9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6nvd
- git.kernel.org/stable/c/9baee36e8c5443411c4629afabafaff8a46a23fdnvd
- git.kernel.org/stable/c/ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432nvd
- git.kernel.org/stable/c/c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694nvd
- git.kernel.org/stable/c/fc71f888994569f87d5bee20b1ac6c9c1e3a7a79nvd
News mentions
0No linked articles in our index yet.