HarborGuard / CVE
Back to search
HIGHCVE-2026-46157Published Modified CNA Linux

CVE-2026-46157: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race. And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing. Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().

HarborGuard Analysis

HarborGuard analysis

Synopsis

A data race vulnerability exists in the Linux kernel's ALSA PCM OSS subsystem, specifically in how the runtime.oss.trigger bit field is accessed concurrently without mutex protection. The flaw is reachable locally by an attacker who already holds a low-privilege account on the host, requiring no network access and no user interaction, as reflected in the CVSS vector (AV:L/PR:L/UI:N). Successful exploitation corrupts shared kernel state, giving an attacker the ability to read protected memory, tamper with kernel data, or crash the system. Patched kernel versions 6.12.88, 6.18.30, and the associated upstream commits are available, and a patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46157 is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle an affected kernel or kernel modules.

Available
Triage

Triage capability is available using the CVSS v3.1 base score of 7.8 (HIGH), weighted further by each customer environment's compliance policy to reflect actual exposure context. Findings are routed to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the fixed kernel versions (6.12.88, 6.18.30, or the corresponding upstream commits) becomes available on HarborGuard for any image found to include an affected kernel version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the vulnerable component is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no elevated or administrative credentials are needed to reach the vulnerable code path.

  • Victim interactionNot required

    No user interaction is needed; the attacker can trigger the race condition entirely through their own process.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race-window timing beyond what the unprotected bit-field access itself creates, nor on specific memory layout conditions.

Blast Radius

  • An attacker reads protected kernel memory, which may expose session tokens, credentials, or other sensitive data held in kernel structures.
  • Corrupted bit-field writes allow an attacker to tamper with adjacent kernel state fields, altering PCM device behavior or broader ALSA subsystem behavior.
  • Kernel state corruption can cause an unrecoverable fault, crashing the affected host and taking down all workloads running on it.
  • Because the affected code sits in a shared kernel subsystem, corruption is not isolated to the triggering process and may affect other processes sharing the same audio device context.

How HarborGuard Handles This

Available on HarborGuard: once an image scan identifies a kernel version below the fixed commits (6.12.88, 6.18.30, 49f9d048845be874df7997e4b1ce662de450c4b6, or 6b01c1bc9a4748ab37548a700a8aaff910e298e6), a patched-image rebuild becomes available immediately. For customers with auto-remediation enabled, HarborGuard rebuilds the image, executes the configured regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits, customers are encouraged to prioritize remediation given the HIGH severity rating and the combination of full confidentiality, integrity, and availability impact on the host kernel.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

049f9d048845be874df7997e4b1ce662de450c4b66.12.886.18.306b01c1bc9a4748ab37548a700a8aaff910e298e67.0.77.1-rc2901ac0ff15edf9503162e2cf6579bd11a30f1ed4ac3e9b55b7da6f0be51720bd330a0edc1a8b61f1
Affected packages
  • Linux / Linux
    < 49f9d048845be874df7997e4b1ce662de450c4b6 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < ac3e9b55b7da6f0be51720bd330a0edc1a8b61f1 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 6b01c1bc9a4748ab37548a700a8aaff910e298e6 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 901ac0ff15edf9503162e2cf6579bd11a30f1ed4 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
  • Linux / Linux
    2.6.12
    Fixed in 0, 6.12.88, 6.18.30, 7.0.7, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2026-46157: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger | HarborGuard CVE