Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53242

CVE-2026-53242: Linux Kernel ALSA PCM DoS Vulnerability

CVE-2026-53242 is a denial of service vulnerability in Linux kernel ALSA PCM that causes wait queue corruption leading to kernel panic. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-53242 Overview

CVE-2026-53242 affects the Linux kernel's Advanced Linux Sound Architecture (ALSA) PCM subsystem. The flaw resides in snd_pcm_drain() when operating on linked audio streams. A concurrent UNLINK operation can leave an orphaned wait queue entry on an unlinked substream sleep queue, leading to wait queue list corruption.

On subsequent drain iterations, add_wait_queue attaches the entry to a new queue while it remains linked to the previous one. A later wake_up then dereferences a NULL function pointer, triggering a kernel panic. The issue is a local denial-of-service condition affecting audio device users on Linux systems.

Critical Impact

Local attackers or unprivileged users with audio device access can trigger wait queue list corruption resulting in a kernel panic and full system denial of service.

Affected Products

  • Linux kernel ALSA PCM subsystem (sound/core/pcm_native.c)
  • Multiple stable kernel branches addressed via backport commits
  • Systems exposing ALSA PCM devices to local users

Discovery Timeline

  • 2026-06-25 - CVE-2026-53242 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-53242

Vulnerability Analysis

The vulnerability is a wait queue list corruption [CWE-416-class] in the ALSA PCM drain path. snd_pcm_drain() previously used init_waitqueue_entry(), which does not clear the entry.prev and entry.next list pointers. The function then called add_wait_queue() followed by a conditional remove_wait_queue() that was skipped when the to_check substream was no longer part of the link group after a concurrent UNLINK operation.

When the conditional removal was skipped, the wait entry remained queued on the unlinked substream's sleep queue. On the next drain loop iteration, add_wait_queue() inserted the same entry into a different wait queue while it was still linked into the old one. This dual-linkage corrupts both list structures.

A later wake_up() traversal then dereferences memory at offset 0 of what it believes is a wait_queue_head_t, but the underlying memory is actually a spinlock. The resulting NULL function pointer dereference at the wait entry's func field causes an immediate kernel panic.

Root Cause

The root cause is improper wait entry lifecycle management combined with a race between snd_pcm_drain() and concurrent stream unlink operations. init_waitqueue_entry() does not initialize the list head pointers, and the cleanup path was guarded by a condition that could legitimately become false mid-operation.

Attack Vector

A local user with permission to open ALSA PCM devices can trigger the race by issuing drain operations against linked streams while concurrently unlinking them. Successful exploitation results in a kernel panic and host-wide denial of service. The vulnerability requires local access and is not remotely exploitable over a network.

The fix replaces init_waitqueue_entry, add_wait_queue, and the conditional remove_wait_queue with init_wait_entry, prepare_to_wait, and finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and installs autoremove_wake_function, while finish_wait safely handles both already-removed and still-queued cases.

Detection Methods for CVE-2026-53242

Indicators of Compromise

  • Kernel panic messages referencing wake_up, __wake_up_common, or snd_pcm_drain in the call stack
  • NULL pointer dereference oops with the faulting address near offset 0 in wait_queue_entry_t->func
  • Unexpected host reboots on systems running multimedia or audio-processing workloads with linked PCM streams

Detection Strategies

  • Audit kernel versions against the patched stable branches referenced in the kernel.org commits
  • Monitor /var/log/kern.log and dmesg output for ALSA-related list corruption warnings such as list_add corruption or WARN_ON triggers in wait queue functions
  • Correlate audio subsystem usage by untrusted local users with kernel crash events in centralized logging

Monitoring Recommendations

  • Forward kernel logs to a central SIEM and alert on panic strings containing snd_pcm or __wake_up frames
  • Track unexpected reboots on multi-tenant Linux hosts and containers granted /dev/snd access
  • Inventory which workloads require ALSA PCM access and review whether the access is necessary

How to Mitigate CVE-2026-53242

Immediate Actions Required

  • Apply the upstream stable kernel update that includes the snd_pcm_drain() fix and reboot affected systems
  • Inventory Linux hosts and containers that expose /dev/snd/* devices to untrusted users or workloads
  • Restrict audio device access in container and sandbox configurations until patches are deployed

Patch Information

The fix is available in multiple stable kernel branches via the following commits: Linux Kernel Commit 7c71a95, Linux Kernel Commit 88fe2e36, Linux Kernel Commit b053fcd8, Linux Kernel Commit cac5bf35, Linux Kernel Commit cd98837d, Linux Kernel Commit d68b621b, and Linux Kernel Commit d842f26a. Update to the latest stable release of your distribution kernel.

Workarounds

  • Remove or restrict access to ALSA PCM device nodes (/dev/snd/pcm*) for non-trusted local users where audio is not required
  • Drop the audio group membership and remove /dev/snd from container device cgroups in untrusted workloads
  • Disable the snd_pcm kernel module on servers that do not require audio functionality using modprobe -r snd_pcm and a blacklist entry

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.