CVE-2026-23191
Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.73-1 |
| sid | Fixed | 6.18.10-1 |
| forky | Fixed | 6.18.10-1 |
| bullseye | Affected | โ |
| bookworm | Affected | โ |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | kernel-devel-5.14.0-611.45.1.el9_7.aarch64.rpm |
| 8 | Fixed | kernel-rt-debug-modules-extra-4.18.0-553.120.1.rt7.461.el8_10.x86_64.rpm |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
References
- https://access.redhat.com/errata/RHSA-2026:6153
- https://www.suse.com/security/cve/CVE-2026-23191.html
- https://errata.rockylinux.org/RLSA-2026:6153
- https://security-tracker.debian.org/tracker/CVE-2026-23191
- https://access.redhat.com/errata/RHSA-2026:9131
- https://bugzilla.redhat.com/2425046
- https://bugzilla.redhat.com/2439947
- https://errata.almalinux.org/8/ALSA-2026-9131.html
- https://access.redhat.com/errata/RHSA-2026:9135
- https://errata.almalinux.org/8/ALSA-2026-9135.html
- https://bugzilla.redhat.com/2376376
- https://bugzilla.redhat.com/2407333
- https://bugzilla.redhat.com/2439872
- https://bugzilla.redhat.com/2439886
- https://bugzilla.redhat.com/2439887
- https://bugzilla.redhat.com/2439900
- https://bugzilla.redhat.com/2439931
- https://errata.almalinux.org/9/ALSA-2026-6153.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.