{"id":"CVE-2026-46090","summary":"ALSA: aloop: Fix peer runtime UAF during format-change stop","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix peer runtime UAF during format-change stop\n\nloopback_check_format() may stop the capture side when playback starts\nwith parameters that no longer match a running capture stream. Commit\n826af7fa62e3 (\"ALSA: aloop: Fix racy access at PCM trigger\") moved\nthe peer lookup under cable-\u003elock, but the actual snd_pcm_stop() still\nruns after dropping that lock.\n\nA concurrent close can clear the capture entry from cable-\u003estreams[] and\ndetach or free its runtime while the playback trigger path still holds a\nstale peer substream pointer.\n\nKeep a per-cable count of in-flight peer stops before dropping\ncable-\u003elock, and make free_cable() wait for those stops before\ndetaching the runtime. This preserves the existing behavior while\nmaking the peer runtime lifetime explicit.","modified":"2026-06-24T18:29:21.968822688Z","published":"2026-05-27T12:58:34.428Z","related":["ALSA-2026:27353","ALSA-2026:27354","SUSE-SU-2026:22099-1","SUSE-SU-2026:22108-1","SUSE-SU-2026:22112-1","SUSE-SU-2026:22127-1","SUSE-SU-2026:22137-1","SUSE-SU-2026:2450-1","SUSE-SU-2026:2482-1","SUSE-SU-2026:2591-1","openSUSE-SU-2026:10954-1","openSUSE-SU-2026:20965-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46090.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/03f52a9c170431e8f10e156b9dc0dae80b3e9198"},{"type":"WEB","url":"https://git.kernel.org/stable/c/345c24b2bcf0923dfae1ab41497351c68214ff76"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5d45e34bf001344e2966dabca1897561bbc9e913"},{"type":"WEB","url":"https://git.kernel.org/stable/c/83bd62fa9620ac98d5d694bde14c50f98c8e7189"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46090.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46090"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"597603d615d2b19a9e451d8cfac24372856a522d"},{"fixed":"83bd62fa9620ac98d5d694bde14c50f98c8e7189"},{"fixed":"345c24b2bcf0923dfae1ab41497351c68214ff76"},{"fixed":"03f52a9c170431e8f10e156b9dc0dae80b3e9198"},{"fixed":"bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c"},{"fixed":"5d45e34bf001344e2966dabca1897561bbc9e913"},{"fixed":"e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46090.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.37"},{"fixed":"5.10.259"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.12.88"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46090.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}