HIGH
alsa OSS UAF
CVE-2026-43126
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: mixer: oss: Add card disconnect checkpoints ALSA OSS mixer layer calls the kcontrol ops rather individually, and pending calls might be not always caught at disconnecting the device. For avoiding the potential UAF scenarios, add sanity checks of the card disconnection at each entry point of OSS mixer accesses. The rwsem is taken just before that check, hence the rest context should be covered by that properly.
02KernelScan AI Analysis
Risk summary
Local users with audio device access can trigger a use-after-free vulnerability during sound card disconnection. This can lead to kernel memory corruption, privilege escalation, or system crashes. The vulnerability primarily affects systems with hotpluggable audio devices like USB sound cards.
Vulnerability analysis
The ALSA OSS mixer layer has a race condition where mixer operations can access freed card structures during device disconnection. The root cause is insufficient synchronization between OSS mixer entry points and the card disconnect process. The fix adds card->shutdown checks after acquiring the controls_rwsem read lock in all mixer operation entry points, ensuring operations abort safely if the card is being disconnected. Attack surface is local-only, requiring access to OSS mixer device files and the ability to trigger sound card disconnection events.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.75 | ae583f113d15 |
| 6.18 | 6.18.16 | e6645e625480 |
| 6.19 | 6.19.6 | 8c097cf73699 |
| mainline | 7.0 | 084d5d444181 |