CVE-2026-53242 Overview
CVE-2026-53242 affects the Linux kernel's Advanced Linux Sound Architecture (ALSA) PCM subsystem. The flaw resides in snd_pcm_drain() when operating on linked audio streams. A concurrent UNLINK operation can leave an orphaned wait queue entry on an unlinked substream sleep queue, leading to wait queue list corruption.
On subsequent drain iterations, add_wait_queue attaches the entry to a new queue while it remains linked to the previous one. A later wake_up then dereferences a NULL function pointer, triggering a kernel panic. The issue is a local denial-of-service condition affecting audio device users on Linux systems.
Critical Impact
Local attackers or unprivileged users with audio device access can trigger wait queue list corruption resulting in a kernel panic and full system denial of service.
Affected Products
- Linux kernel ALSA PCM subsystem (sound/core/pcm_native.c)
- Multiple stable kernel branches addressed via backport commits
- Systems exposing ALSA PCM devices to local users
Discovery Timeline
- 2026-06-25 - CVE-2026-53242 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53242
Vulnerability Analysis
The vulnerability is a wait queue list corruption [CWE-416-class] in the ALSA PCM drain path. snd_pcm_drain() previously used init_waitqueue_entry(), which does not clear the entry.prev and entry.next list pointers. The function then called add_wait_queue() followed by a conditional remove_wait_queue() that was skipped when the to_check substream was no longer part of the link group after a concurrent UNLINK operation.
When the conditional removal was skipped, the wait entry remained queued on the unlinked substream's sleep queue. On the next drain loop iteration, add_wait_queue() inserted the same entry into a different wait queue while it was still linked into the old one. This dual-linkage corrupts both list structures.
A later wake_up() traversal then dereferences memory at offset 0 of what it believes is a wait_queue_head_t, but the underlying memory is actually a spinlock. The resulting NULL function pointer dereference at the wait entry's func field causes an immediate kernel panic.
Root Cause
The root cause is improper wait entry lifecycle management combined with a race between snd_pcm_drain() and concurrent stream unlink operations. init_waitqueue_entry() does not initialize the list head pointers, and the cleanup path was guarded by a condition that could legitimately become false mid-operation.
Attack Vector
A local user with permission to open ALSA PCM devices can trigger the race by issuing drain operations against linked streams while concurrently unlinking them. Successful exploitation results in a kernel panic and host-wide denial of service. The vulnerability requires local access and is not remotely exploitable over a network.
The fix replaces init_waitqueue_entry, add_wait_queue, and the conditional remove_wait_queue with init_wait_entry, prepare_to_wait, and finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and installs autoremove_wake_function, while finish_wait safely handles both already-removed and still-queued cases.
Detection Methods for CVE-2026-53242
Indicators of Compromise
- Kernel panic messages referencing wake_up, __wake_up_common, or snd_pcm_drain in the call stack
- NULL pointer dereference oops with the faulting address near offset 0 in wait_queue_entry_t->func
- Unexpected host reboots on systems running multimedia or audio-processing workloads with linked PCM streams
Detection Strategies
- Audit kernel versions against the patched stable branches referenced in the kernel.org commits
- Monitor /var/log/kern.log and dmesg output for ALSA-related list corruption warnings such as list_add corruption or WARN_ON triggers in wait queue functions
- Correlate audio subsystem usage by untrusted local users with kernel crash events in centralized logging
Monitoring Recommendations
- Forward kernel logs to a central SIEM and alert on panic strings containing snd_pcm or __wake_up frames
- Track unexpected reboots on multi-tenant Linux hosts and containers granted /dev/snd access
- Inventory which workloads require ALSA PCM access and review whether the access is necessary
How to Mitigate CVE-2026-53242
Immediate Actions Required
- Apply the upstream stable kernel update that includes the snd_pcm_drain() fix and reboot affected systems
- Inventory Linux hosts and containers that expose /dev/snd/* devices to untrusted users or workloads
- Restrict audio device access in container and sandbox configurations until patches are deployed
Patch Information
The fix is available in multiple stable kernel branches via the following commits: Linux Kernel Commit 7c71a95, Linux Kernel Commit 88fe2e36, Linux Kernel Commit b053fcd8, Linux Kernel Commit cac5bf35, Linux Kernel Commit cd98837d, Linux Kernel Commit d68b621b, and Linux Kernel Commit d842f26a. Update to the latest stable release of your distribution kernel.
Workarounds
- Remove or restrict access to ALSA PCM device nodes (/dev/snd/pcm*) for non-trusted local users where audio is not required
- Drop the audio group membership and remove /dev/snd from container device cgroups in untrusted workloads
- Disable the snd_pcm kernel module on servers that do not require audio functionality using modprobe -r snd_pcm and a blacklist entry
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

