HIGH
alsa aloop PCM Trigger UAF
CVE-2026-23191
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.
02KernelScan AI Analysis
Risk summary
This vulnerability allows local attackers with audio device access to cause kernel crashes or potentially execute arbitrary code by rapidly triggering PCM operations while opening/closing audio streams. The race condition can lead to use-after-free conditions when kernel objects are accessed after being freed, which could result in system instability or privilege escalation.
Vulnerability analysis
Summary: Race condition in ALSA aloop driver PCM trigger callback leads to use-after-free vulnerability
Root Cause: The PCM trigger callback in the aloop driver performs PCM state checks and stream stop operations on tied substreams without proper locking. The cable->lock spinlock was not held during critical sections where substream pointers are accessed and dereferenced, creating a race condition between trigger operations and stream open/close operations.
Attack Surface: Local attack surface requiring access to ALSA audio devices. An attacker needs the ability to open/close audio streams and trigger PCM operations rapidly to exploit the race condition. This typically requires local access or processes with audio device permissions.
Fix Mechanism: The patch addresses the UAF by: 1) Wrapping most of loopback_check_format() with cable->lock spinlock using scoped_guard, 2) Adding proper NULL pointer checks for dpcm_play, dpcm_capt, runtime, and cruntime before dereferencing them, 3) Moving the snd_pcm_stop() call outside the locked section to avoid potential deadlocks while still ensuring safe access to the capture substream pointer.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.70 | bad15420050d |
| 6.18 | 6.18.10 | 5727ccf9d19c |
| mainline | 6.19 | 826af7fa62e3 |