CVE-2026-46262 Overview
CVE-2026-46262 is a Linux kernel vulnerability in the ASoC (ALSA System on Chip) fsl_xcvr driver. The issue stems from an earlier patch that attempted to acquire card->controls_rwsem inside fsl_xcvr_mode_put(). That function is invoked by the ALSA core routine snd_ctl_elem_write(), which already holds the write lock on controls_rwsem for the entire put operation. Acquiring the read lock while the same thread holds the write lock produces a deadlock and a hung task. The kernel maintainers resolved the issue by reverting commit f51424872760.
Critical Impact
Local users invoking ALSA control writes on affected systems can trigger a kernel deadlock, resulting in a hung task and denial of service.
Affected Products
- Linux kernel branches containing commit f51424872760 ("ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()")
- Systems using the NXP/Freescale fsl_xcvr ASoC audio driver
- Stable kernel trees referenced by the upstream fix commits
Discovery Timeline
- Issue reported by Alexander Stein (as credited in the kernel commit message)
- 2026-06-03 - CVE-2026-46262 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46262
Vulnerability Analysis
The defect is a locking error [Deadlock] introduced by commit f51424872760, which added a call to acquire card->controls_rwsem inside fsl_xcvr_mode_put() before invoking fsl_xcvr_activate_ctl(). The intent was to protect concurrent access to ALSA control state. However, the call path already enters this function with the write lock held by the ALSA core. The reverting patch removes the redundant locking and eliminates the hang.
Root Cause
The root cause is improper lock acquisition ordering within a single thread. snd_ctl_elem_write() in the ALSA core acquires controls_rwsem as a writer for the duration of the put operation. The added down_read() call on the same rw_semaphore from fsl_xcvr_mode_put() runs in that same context. A reader-writer semaphore in Linux does not permit a thread holding the write lock to also acquire the read lock, so the call blocks indefinitely.
Attack Vector
A local user with permission to write ALSA controls on a device exposing the fsl_xcvr driver can trigger the deadlock by issuing a control write that reaches fsl_xcvr_mode_put(). The thread holding the write semaphore stalls, producing a hung task and blocking subsequent ALSA control operations on the card. No memory corruption or privilege escalation arises from this flaw; the impact is availability of audio control functionality and the affected kernel thread.
No exploitation code is required beyond standard ALSA control write syscalls. Refer to the upstream patch series for the exact code path.
Detection Methods for CVE-2026-46262
Indicators of Compromise
- Kernel log messages reporting INFO: task ... blocked for more than ... seconds referencing fsl_xcvr_mode_put or snd_ctl_elem_write
- Hung task watchdog stack traces showing down_read on controls_rwsem after snd_ctl_elem_write
- Userspace audio control utilities (for example amixer, alsactl) hanging on writes to the fsl_xcvr card
Detection Strategies
- Inventory running kernels and identify builds that include commit f51424872760 but not the revert commits listed in the NVD references
- Monitor dmesg and journald output for hung task warnings tied to the ALSA control subsystem
- Correlate audio subsystem stalls with ALSA control write activity from local users or services
Monitoring Recommendations
- Collect kernel ring buffer logs centrally and alert on hung_task_timeout_secs warnings
- Track kernel version and patch level across fleets running on NXP i.MX platforms where fsl_xcvr is enabled
- Watch for repeated snd_ctl_elem_write calls that fail to complete from non-privileged processes
How to Mitigate CVE-2026-46262
Immediate Actions Required
- Apply the upstream Linux kernel update containing the revert of commit f51424872760 from your distribution vendor
- Identify hosts using the fsl_xcvr driver, typically NXP/Freescale i.MX-based systems with SPDIF/eARC audio
- Restrict local access to ALSA control interfaces on shared systems until patched
Patch Information
The fix reverts commit f51424872760. Stable tree backports are available in the following kernel commits referenced in the NVD entry: Kernel Commit 0886dc6, Kernel Commit 29b2fbe, Kernel Commit 30ffcad, Kernel Commit 9a2a5da, Kernel Commit 9f16d96, Kernel Commit ae5a70e, and Kernel Commit b0f74f5.
Workarounds
- Unload or blacklist the snd_soc_fsl_xcvr module on systems that do not require XCVR audio functionality
- Avoid running ALSA control writes against the affected card until the patched kernel is deployed
- Limit access to /dev/snd/controlC* device nodes via group permissions or namespace isolation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
