CVE-2026-43126 Overview
CVE-2026-43126 is a Linux kernel vulnerability in the Advanced Linux Sound Architecture (ALSA) Open Sound System (OSS) mixer compatibility layer. The OSS mixer code calls kcontrol operations individually, and pending calls were not consistently caught when the underlying sound card was disconnected. This gap creates a potential use-after-free (UAF) condition when userspace continues issuing mixer ioctls while the device is being torn down. The upstream fix adds card disconnection checkpoints at each entry point of OSS mixer access, guarded by an rwsem taken just before the check.
Critical Impact
Local userspace processes interacting with /dev/mixer during sound card removal could trigger a use-after-free in kernel memory, leading to kernel instability or potential privilege escalation.
Affected Products
- Linux kernel ALSA OSS mixer subsystem (sound/core/oss/mixer_oss.c)
- Stable kernel branches receiving the backports referenced in the four upstream commits
- Distributions shipping affected kernel versions prior to applying the fix
Discovery Timeline
- 2026-05-06 - CVE-2026-43126 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43126
Vulnerability Analysis
The vulnerability resides in the ALSA OSS mixer compatibility layer, which exposes legacy /dev/mixer interfaces to userspace. When applications invoke mixer ioctls, the OSS layer dispatches calls to the underlying ALSA kcontrol operations one at a time. During sound card disconnection, in-flight or pending operations were not always synchronized with the teardown path. This race window allowed mixer accesses to proceed against state that had been or was being released.
The upstream resolution adds explicit card disconnect checkpoints at every entry point into the OSS mixer code. The rwsem is acquired immediately before the disconnect check, ensuring that the remainder of the access path executes under a consistent view of the card's lifecycle state. Once the card is marked disconnected, mixer operations return early instead of touching freed structures.
Root Cause
The root cause is missing lifecycle synchronization between the OSS mixer access paths and the card disconnect routine. Without per-entry-point disconnect checks under the rwsem, individual kcontrol op calls could reference state that had already been torn down, producing a use-after-free condition.
Attack Vector
Exploitation requires local access with permission to open the OSS mixer device node. An attacker triggers concurrent mixer ioctls while the underlying sound card is disconnected, for example through hot-unplug of a USB audio device or module unload. The race window is narrow but reachable from unprivileged local users on systems where the OSS compatibility layer is enabled.
No public proof-of-concept code is available. Refer to the upstream kernel commits (084d5d4, 8c097cf, ae583f1, e6645e6) for the exact code paths protected by the new checkpoints.
Detection Methods for CVE-2026-43126
Indicators of Compromise
- Kernel oops or KASAN: use-after-free reports referencing functions in sound/core/oss/mixer_oss.c.
- Unexpected kernel crashes correlated with USB audio device disconnect events or snd_* module unloads.
- Repeated ioctl activity on /dev/mixer* from unprivileged processes during device teardown.
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) on test kernels to surface use-after-free reads and writes in the ALSA OSS mixer path.
- Audit dmesg for stack traces involving snd_mixer_oss_* symbols following audio device removal.
- Monitor process telemetry for unprivileged binaries opening /dev/mixer and issuing mixer ioctls in tight loops.
Monitoring Recommendations
- Track installed kernel versions across the fleet and flag hosts running unpatched kernels with ALSA OSS emulation enabled.
- Alert on kernel panics or oops events forwarded from syslog or journald to centralized logging.
- Correlate USB audio hot-unplug events with subsequent kernel error messages to identify race-condition triggers.
How to Mitigate CVE-2026-43126
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable tree commits as soon as vendor-built packages are available.
- Inventory systems that load the OSS mixer compatibility module (snd_mixer_oss) and prioritize patching those hosts.
- Restrict local access on multi-user systems where untrusted users can reach /dev/mixer device nodes.
Patch Information
The fix is committed across the stable Linux kernel branches in commits 084d5d4, 8c097cf, ae583f1, and e6645e6. The change adds card disconnect checkpoints at each OSS mixer entry point, with the rwsem acquired immediately before the check. Upgrade to a distribution kernel that incorporates these commits.
Workarounds
- Unload the snd_mixer_oss module on systems that do not require legacy OSS mixer compatibility: modprobe -r snd_mixer_oss.
- Blacklist OSS emulation modules where ALSA-native interfaces are sufficient for all installed audio applications.
- Tighten permissions on /dev/mixer* device nodes to restrict access to trusted users and groups only.
# Configuration example: blacklist OSS mixer emulation until patched kernel is deployed
echo 'blacklist snd_mixer_oss' | sudo tee /etc/modprobe.d/disable-oss-mixer.conf
sudo modprobe -r snd_mixer_oss 2>/dev/null || true
# Verify the module is not loaded
lsmod | grep -i snd_mixer_oss
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
