Use-After-Free Vulnerability in Linux Kernel ALSA PCM Component
CVE-2026-43437

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-43437?

A use-after-free vulnerability exists in the Linux kernel's ALSA PCM component, where a local variable 'runtime' can be reassigned to a linked stream's runtime without sufficient synchronization. This leads to a potential dereference of a stale pointer after the stream lock has been released. The vulnerability arises during the drain process when a concurrent close operation could trigger the release of memory associated with 'runtime'. The issue is resolved by caching the necessary runtime fields into local variables while keeping the stream lock, thereby preventing access to invalid memory.

Affected Version(s)

Linux f2b3614cefb61ee6046a0aaee503ee37f227d310 < 9baee36e8c5443411c4629afabafaff8a46a23fd

Linux f2b3614cefb61ee6046a0aaee503ee37f227d310

Linux f2b3614cefb61ee6046a0aaee503ee37f227d310 < 629cf09464cf98670996ea5c191dc9743e6f3f00

References

https://git.kernel.org/stable/c/9baee36e8c5443411c4629afa...

https://git.kernel.org/stable/c/fc71f888994569f87d5bee20b...

https://git.kernel.org/stable/c/629cf09464cf98670996ea5c1...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43437 Data

JSON