CVE-2026-43437: Linux Kernel Use-After-Free Vulnerability

CVE-2026-43437 Overview

CVE-2026-43437 is a use-after-free vulnerability in the Linux kernel's Advanced Linux Sound Architecture (ALSA) Pulse Code Modulation (PCM) subsystem. The flaw exists in snd_pcm_drain(), where the drain loop reassigns the local runtime pointer to a linked stream's runtime structure. After releasing the stream lock, the code dereferences fields on that pointer without any lock or reference count protecting its lifetime. A concurrent close() on the linked stream's file descriptor can free the runtime structure through snd_pcm_release_substream(), leaving the drain path operating on a dangling pointer.

Critical Impact

A local, authenticated attacker holding access to ALSA PCM devices can trigger kernel memory corruption, leading to denial of service or local privilege escalation.

Affected Products

• Linux kernel ALSA PCM subsystem (sound/core/pcm_native.c)
• Linux distributions shipping vulnerable stable kernel branches prior to the fixes in commits 4a758e9, 629cf09, 9b1dbd6, 9baee36, ae8f8d3, c2f64e0, and fc71f88
• Systems exposing /dev/snd/pcm* device nodes to unprivileged users

Discovery Timeline

• 2026-05-08 - CVE-2026-43437 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43437

Vulnerability Analysis

The vulnerability resides in the drain loop within snd_pcm_drain(). At line 2157 the local variable runtime is reassigned to a linked stream's runtime via runtime = s->runtime. The stream lock is then released at line 2169. Between lines 2170 and 2178, the code reads runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size from the linked stream's runtime structure. No lock, refcount, or RCU mechanism guards the lifetime of that structure during these reads.

A concurrent close() issued against the linked stream's file descriptor walks snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream(), ultimately invoking kfree(runtime). The drain thread then dereferences freed memory, producing a classic use-after-free condition.

Root Cause

The root cause is missing synchronization between the drain path and the release path for linked PCM streams. The drain loop accesses runtime fields outside the protective scope of the stream lock that originally guaranteed their validity. The fix caches no_period_wakeup, rate, and buffer_size into local variables while the lock is held, then uses the cached values after the lock is dropped.

Attack Vector

Exploitation requires local access and the ability to open ALSA PCM devices. An attacker creates two PCM substreams, links them with SNDRV_PCM_IOCTL_LINK, then races a SNDRV_PCM_IOCTL_DRAIN ioctl on one descriptor against a close() on the linked descriptor. Winning the race causes the drain thread to read from freed kernel memory. Skilled attackers can leverage kernel heap shaping to convert the use-after-free into arbitrary read/write primitives and escalate privileges.

The vulnerability is described in prose only; see the upstream patches at Kernel Git Commit 4a758e9 and Kernel Git Commit fc71f88 for the exact source-level fix.

Detection Methods for CVE-2026-43437

Indicators of Compromise

• Kernel oops or general protection fault entries in dmesg referencing snd_pcm_drain or snd_pcm_release_substream in the call trace
• KASAN reports flagging use-after-free reads in sound/core/pcm_native.c around the drain loop
• Unexpected audio service crashes (PulseAudio, PipeWire) correlated with multi-threaded PCM ioctl usage from non-audio processes

Detection Strategies

• Enable CONFIG_KASAN on test and staging kernels to catch use-after-free reads against snd_pcm_runtime structures.
• Audit running kernel versions across the fleet against the patched stable branches referenced in the upstream commits.
• Monitor auditd for unusual ioctl() patterns against /dev/snd/pcm* from non-audio user processes.

Monitoring Recommendations

• Collect kernel ring buffer and journalctl -k output centrally and alert on BUG: KASAN or use-after-free strings.
• Track processes invoking SNDRV_PCM_IOCTL_LINK followed by concurrent SNDRV_PCM_IOCTL_DRAIN and close() from sibling threads.
• Inventory kernel package versions and flag hosts not running a kernel that includes the listed stable commits.

How to Mitigate CVE-2026-43437

Immediate Actions Required

• Apply the upstream kernel patches from the stable tree and reboot affected hosts.
• Restrict access to /dev/snd/pcm* device nodes to trusted audio service accounts only.
• Prioritize patching multi-user systems, shared workstations, and container hosts where untrusted local code may run.

Patch Information

The fix caches no_period_wakeup, rate, and buffer_size into local variables while the stream lock is held, then uses the cached values after the lock is released. The patch ships in the following upstream commits: Kernel Git Commit 4a758e9, Kernel Git Commit 629cf09, Kernel Git Commit 9b1dbd6, Kernel Git Commit 9baee36, Kernel Git Commit ae8f8d3, Kernel Git Commit c2f64e0, and Kernel Git Commit fc71f88.

Workarounds

• Tighten permissions on /dev/snd/pcm* by removing membership from the audio group for non-trusted local users.
• Restrict container access to host audio devices by removing --device /dev/snd mappings on multi-tenant container hosts.
• Use Linux Security Modules such as SELinux or AppArmor to deny ioctl access to ALSA PCM devices from untrusted application profiles.

# Configuration example: restrict ALSA PCM device access
sudo chmod 660 /dev/snd/pcm*
sudo chown root:audio /dev/snd/pcm*

# Verify running kernel includes the fix
uname -r
grep -E 'snd_pcm_drain' /proc/kallsyms | head -n 1