ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()

In the drain loop, the local variable 'runtime' is reassigned to a
linked stream's runtime (runtime = s->runtime at line 2157). After
releasing the stream lock at line 2169, the code accesses
runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size
(lines 2170-2178) — all referencing the linked stream's runtime without
any lock or refcount protecting its lifetime.

A concurrent close() on the linked stream's fd triggers
snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()
→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).
No synchronization prevents kfree(runtime) from completing while the
drain path dereferences the stale pointer.

Fix by caching the needed runtime fields (no_period_wakeup, rate,
buffer_size) into local variables while still holding the stream lock,
and using the cached values after the lock is released.

Basic Information

ID CVE-2026-43437

Source Linux

Published May 8, 2026 at 14:22

Modified May 11, 2026 at 06:34

Affected Product

Vendor Linux

Product Linux

Version f2b3614cefb61ee6046a0aaee503ee37f227d310

Affected Versions Linux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310
Linux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310
Linux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310
Linux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310
Linux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310
Linux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310
Linux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310
Linux Linux 3.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()\n\nIn the drain loop, the local variable 'runtime' is reassigned to a\nlinked stream's runtime (runtime = s->runtime at line 2157).  After\nreleasing the stream lock at line 2169, the code accesses\nruntime->no_period_wakeup, runtime->rate, and runtime->buffer_size\n(lines 2170-2178) \u2014 all referencing the linked stream's runtime without\nany lock or refcount protecting its lifetime.\n\nA concurrent close() on the linked stream's fd triggers\nsnd_pcm_release_substream() \u2192 snd_pcm_drop() \u2192 pcm_release_private()\n\u2192 snd_pcm_unlink() \u2192 snd_pcm_detach_substream() \u2192 kfree(runtime).\nNo synchronization prevents kfree(runtime) from completing while the\ndrain path dereferences the stale pointer.\n\nFix by caching the needed runtime fields (no_period_wakeup, rate,\nbuffer_size) into local variables while still holding the stream lock,\nand using the cached values after the lock is released.",
    "published": "2026-05-08T14:22:07.314Z",
    "modified": "2026-05-11T06:34:28.055Z",
    "type": "cve",
    "title": "ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/9baee36e8c5443411c4629afabafaff8a46a23fd\nhttps://git.kernel.org/stable/c/fc71f888994569f87d5bee20b1ac6c9c1e3a7a79\nhttps://git.kernel.org/stable/c/629cf09464cf98670996ea5c191dc9743e6f3f00\nhttps://git.kernel.org/stable/c/ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432\nhttps://git.kernel.org/stable/c/4a758e9a1f5ed722f83c4dd35f867fe811553bcb\nhttps://git.kernel.org/stable/c/c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694\nhttps://git.kernel.org/stable/c/9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6",
    "id": "CVE-2026-43437",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310\nLinux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310\nLinux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310\nLinux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310\nLinux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310\nLinux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310\nLinux Linux f2b3614cefb61ee6046a0aaee503ee37f227d310\nLinux Linux 3.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "f2b3614cefb61ee6046a0aaee503ee37f227d310",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()_CVE-2026-43437

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply