ALSA: PCM: Fix wait queue list corruption in snd_pcm

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams

snd_pcm_drain() uses init_waitqueue_entry which does not clear
entry.prev/next, and add_wait_queue with a conditional
remove_wait_queue that is skipped when to_check is no longer
in the group after concurrent UNLINK. The orphaned wait entry
remains on the unlinked substream sleep queue. On the next
drain iteration, add_wait_queue adds the entry to a new queue
while still linked on the old one, corrupting both lists. A
subsequent wake_up dereferences NULL at the func pointer
(mapped from the spinlock at offset 0 of the misinterpreted
wait_queue_head_t), causing a kernel panic.

Replace init_waitqueue_entry/add_wait_queue/conditional
remove_wait_queue with init_wait_entry/prepare_to_wait/
finish_wait. init_wait_entry clears prev/next via
INIT_LIST_HEAD on each iteration and sets
autoremove_wake_function which auto-removes the entry on
wake-up. finish_wait safely handles both the already-removed
and still-queued cases.

Basic Information

ID CVE-2026-53242

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version 9baee36e8c5443411c4629afabafaff8a46a23fd

Affected Versions Linux Linux 9baee36e8c5443411c4629afabafaff8a46a23fd
Linux Linux fc71f888994569f87d5bee20b1ac6c9c1e3a7a79
Linux Linux 629cf09464cf98670996ea5c191dc9743e6f3f00
Linux Linux ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432
Linux Linux 4a758e9a1f5ed722f83c4dd35f867fe811553bcb
Linux Linux 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6
Linux Linux 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6
Linux Linux c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694
Linux Linux 5.10.253
Linux Linux 6.1.167
Linux Linux 6.6.130
Linux Linux 6.12.78
Linux Linux 6.18.19
Linux Linux 6.19.9
Linux Linux 7.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams\n\nsnd_pcm_drain() uses init_waitqueue_entry which does not clear\nentry.prev/next, and add_wait_queue with a conditional\nremove_wait_queue that is skipped when to_check is no longer\nin the group after concurrent UNLINK.  The orphaned wait entry\nremains on the unlinked substream sleep queue.  On the next\ndrain iteration, add_wait_queue adds the entry to a new queue\nwhile still linked on the old one, corrupting both lists.  A\nsubsequent wake_up dereferences NULL at the func pointer\n(mapped from the spinlock at offset 0 of the misinterpreted\nwait_queue_head_t), causing a kernel panic.\n\nReplace init_waitqueue_entry/add_wait_queue/conditional\nremove_wait_queue with init_wait_entry/prepare_to_wait/\nfinish_wait.  init_wait_entry clears prev/next via\nINIT_LIST_HEAD on each iteration and sets\nautoremove_wake_function which auto-removes the entry on\nwake-up.  finish_wait safely handles both the already-removed\nand still-queued cases.",
    "published": "2026-06-25T08:39:37.129Z",
    "modified": "2026-06-28T06:40:49.406Z",
    "type": "cve",
    "title": "ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/cac5bf3500ee6422cf64e0df0b5daeecfed42917\nhttps://git.kernel.org/stable/c/d842f26a167e77a36f3ed333b9fa99d36ef99fe6\nhttps://git.kernel.org/stable/c/d68b621bb5a48051932f1017a6e1bc9b18f854d0\nhttps://git.kernel.org/stable/c/b053fcd8912f06c30f932f5b8ec41c72de474695\nhttps://git.kernel.org/stable/c/cd98837db15f323463b8df07282ac723bd5c3fed\nhttps://git.kernel.org/stable/c/7c71a9522555ff137a9ca36b15d759ca04d84788\nhttps://git.kernel.org/stable/c/88fe2e3658726cb21ff2dcf9770bf672f9b9d31b",
    "id": "CVE-2026-53242",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 9baee36e8c5443411c4629afabafaff8a46a23fd\nLinux Linux fc71f888994569f87d5bee20b1ac6c9c1e3a7a79\nLinux Linux 629cf09464cf98670996ea5c191dc9743e6f3f00\nLinux Linux ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432\nLinux Linux 4a758e9a1f5ed722f83c4dd35f867fe811553bcb\nLinux Linux 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6\nLinux Linux 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6\nLinux Linux c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694\nLinux Linux 5.10.253\nLinux Linux 6.1.167\nLinux Linux 6.6.130\nLinux Linux 6.12.78\nLinux Linux 6.18.19\nLinux Linux 6.19.9\nLinux Linux 7.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "9baee36e8c5443411c4629afabafaff8a46a23fd",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams_CVE-2026-53242

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply