CVE-2026-43459
Description
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-core: flush delayed work before removing DAIs and widgets
When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler.
During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free.
The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets.
Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in the Linux kernel's ASoC subsystem allows a use-after-free when unbinding a sound card while a PCM stream is open, due to delayed work not being flushed after disarmed after disconnection.
Vulnerability
Overview
A use-after-free vulnerability exists in the Linux kernel's ASoC (ALSA System on Chip) subsystem. The root cause is a race condition during sound card unbinding: when a PCM stream is open and the card is unbound, the close_delayed_work workqueue handler can access DAPM widgets and DAIs after they have been freed. The issue arises because snd_soc_unbind_card() flushes delayed work, but the subsequent snd_card_disconnect_sync() releases PCM file descriptors, whose close path can schedule new delayed work via snd_soc_dapm_stream_stop() with a pmdown_time timer delay. This new work is not caught by the earlier flush, and later soc_remove_link_components() frees the widgets before the work fires, leading to a use-after-free in snd_soc_dapm_stream_event() [1].
Exploitation
Scenario
An attacker with local access and the ability to open a PCM stream on an ASoC sound card can trigger the vulnerability by initiating an unbind of the sound card while the stream is active. No special privileges beyond the ability to open a PCM device are required, as the race condition occurs in normal driver teardown paths. The attack surface is limited to systems where ASoC sound cards can be dynamically unbound, such as via sysfs or module removal [1].
Impact
Successful exploitation results in a use-after-free, which can lead to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context. The vulnerability is rated High with a CVSS v3 score of 7.3, reflecting the potential for privilege escalation and availability impact [1].
Mitigation
The fix, introduced in Linux kernel commit 95bc5c225513, adds a flush of delayed work in soc_cleanup_card_resources() after snd_card_disconnect_sync() (which ensures no new PCM closes can schedule further work) and before soc_remove_link_dais() and s() and soc_remove_link_components() tear down the structures. This ensures all pending work is completed before the resources are freed. Users should apply the latest stable kernel updates containing this commit [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/231568afbc0cd25b8fb2a94ebf9738eabe1cf007nvd
- git.kernel.org/stable/c/317a9298c54bb00319da73e5a7179f00e67fcbdfnvd
- git.kernel.org/stable/c/3887e514978d28216246360b46a9cb534969eb5anvd
- git.kernel.org/stable/c/7d33e6140945482a07f8089ee86e13e02553ffdbnvd
- git.kernel.org/stable/c/95bc5c225513fc3c4ce169563fb5e3929fbb938bnvd
- git.kernel.org/stable/c/bf80a89da97285d9b877e0c6995e870d46b8025cnvd
- git.kernel.org/stable/c/c054f0607c8bb1b1aa529bc109e4149298a1cccdnvd
- git.kernel.org/stable/c/eab71e11ce2447c1e01809cbc11eab4234cf8dc8nvd
News mentions
0No linked articles in our index yet.