HIGH
alsa OSS Race
CVE-2026-46157
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race. And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing. Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().
02KernelScan AI Analysis
Risk summary
A race condition in the ALSA OSS compatibility layer allows concurrent access to bit fields without proper locking. This can corrupt adjacent bit fields and cause system instability or kernel panics when multiple threads access audio trigger states simultaneously.
Vulnerability analysis
The vulnerability stems from unsynchronized access to runtime->oss.trigger bit field in snd_pcm_oss_get_trigger() and snd_pcm_oss_poll(). Since bit field operations are not atomic, concurrent writes can corrupt neighboring bits in the same memory location. The fix adds mutex protection around all trigger field accesses using the existing params_lock, and introduces a helper function to atomically check and clear the trigger flag. Attack surface is local, requiring access to OSS audio devices, typically through audio group membership.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | 49f9d048845b |
| 6.18 | 6.18.30 | ac3e9b55b7da |
| 7.0 | 7.0.7 | 6b01c1bc9a47 |
| mainline | 7.1-rc2 | 901ac0ff15ed |