HarborGuard / CVE
Back to search
HIGHCVE-2026-46090Published Modified CNA Linux

CVE-2026-46090: ALSA: aloop: Fix peer runtime UAF during format-change stop

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer. Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a use-after-free (UAF) vulnerability in the Linux kernel's ALSA loopback audio driver (aloop). An attacker with a local shell account on the host can trigger the bug by racing a format-change stop against a concurrent stream close, causing the playback trigger path to dereference a freed peer substream pointer. Successful exploitation gives the attacker read, write, and execute capabilities over kernel memory, enabling privilege escalation or full system compromise. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that carry an affected kernel version. Any image whose kernel package falls below the fix commits or fix release versions (6.12.88, 6.18.27) is flagged automatically in the pipeline scan results.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and surfaces it with that rating in each customer's triage queue, weighted further by any per-environment compliance policies the customer has configured. Findings are routed to the appropriate team inbox based on image ownership and policy rules defined inside each customer org.

Available
Patch

A patched-image rebuild at the fix versions (6.12.88 or 6.18.27, or incorporating the relevant fix commits) becomes available on HarborGuard once the upstream fix is confirmed for a given kernel lineage. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the race condition in the ALSA aloop driver.

  • Victim interactionNot required

    No user interaction is needed; the attacker triggers the vulnerability entirely through their own process actions.

  • Attack complexityDetail

    Exploit complexity is low; no special memory layout, race-window tuning, or environmental pre-conditions beyond a local account are required for reliable exploitation.

Blast Radius

  • Reads arbitrary kernel memory, exposing credentials, session tokens, and other sensitive in-memory data belonging to any process on the host.
  • Writes to arbitrary kernel memory, allowing the attacker to overwrite security-critical structures and escalate privileges to root.
  • Crashes the affected kernel or renders the system unresponsive by corrupting freed memory structures in the audio subsystem.
  • With kernel-level code execution achieved, the attacker can escape container boundaries and affect co-tenant workloads on the same host.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image carrying a kernel package below the fix threshold. For customers who opt into auto-remediation, HarborGuard rebuilds the image at a patched kernel version, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuild artifact is staged and the PR is held in draft pending review. Because this is a local privilege-escalation bug rather than a remotely reachable service, customers who cannot immediately apply the patch should consider restricting unprivileged access to audio subsystem devices via seccomp or LSM policy (AppArmor or SELinux profiles that deny access to loopback PCM devices) as a compensating control until the kernel update is rolled out.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

003f52a9c170431e8f10e156b9dc0dae80b3e91985d45e34bf001344e2966dabca1897561bbc9e9136.12.886.18.277.0.47.1-rc2bdd9503c3d222d2735b56c7a8b4422ccf3de6e5ce5c33cdc6f402eab8abd36ecf436b22c9d3a8aff
Affected packages
  • Linux / Linux
    < 03f52a9c170431e8f10e156b9dc0dae80b3e9198 (from 597603d615d2b19a9e451d8cfac24372856a522d) · < bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c (from 597603d615d2b19a9e451d8cfac24372856a522d) · < 5d45e34bf001344e2966dabca1897561bbc9e913 (from 597603d615d2b19a9e451d8cfac24372856a522d) · < e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff (from 597603d615d2b19a9e451d8cfac24372856a522d)
  • Linux / Linux
    2.6.37
    Fixed in 0, 6.12.88, 6.18.27, 7.0.4, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References