CVE-2026-23191

Advisory lineage Upstream: 0 Downstream: 48

Downstream

DEBIAN-CVE-2026-23191 DSA-6141-1 OPENSUSE-SU-2026:20416-1 RHSA-2026:13734 RHSA-2026:13932 RHSA-2026:13936

Modified

Published: 14 Feb 2026, 16:27

Last modified:11 May 2026, 22:02

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

14 Feb 2026, 16:27

Published

Vulnerability first disclosed

11 May 2026, 22:02

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.

CVSS Metrics

v3.1•HIGH•Score: 7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.02%• Percentile: 5%

Techniques & Countermeasures

CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

linux•linux
≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < bad15420050db1803767e58756114800cce91ea4 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 5727ccf9d19ca414cb76d9b647883822e2789c2e | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 826af7fa62e347464b1b4e0ba2fe19a92438084f | ≥ b1c73fc8e697eb73e23603e465e9af2711ed4183, < bad15420050db1803767e58756114800cce91ea4 | ≥ b1c73fc8e697eb73e23603e465e9af2711ed4183, < 5727ccf9d19ca414cb76d9b647883822e2789c2e | ≥ b1c73fc8e697eb73e23603e465e9af2711ed4183, < 826af7fa62e347464b1b4e0ba2fe19a92438084f | 2.6.37
linux•linux_kernel
≥ 2.6.37, < 6.12.70 | ≥ 6.13, < 6.18.10 | 6.19:rc1 | 6.19:rc2 | 6.19:rc3 | 6.19:rc4 | 6.19:rc5 | 6.19:rc6 | 6.19:rc7 | 6.19:rc8