{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23191", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.985Z", "datePublished": "2026-02-14T16:27:18.882Z", "dateUpdated": "2026-02-16T08:58:55.176Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-16T08:58:55.176Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable->lock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/drivers/aloop.c"], "versions": [{"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "bad15420050db1803767e58756114800cce91ea4", "status": "affected", "versionType": "git"}, {"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "5727ccf9d19ca414cb76d9b647883822e2789c2e", "status": "affected", "versionType": "git"}, {"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "826af7fa62e347464b1b4e0ba2fe19a92438084f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/drivers/aloop.c"], "versions": [{"version": "2.6.37", "status": "affected"}, {"version": "0", "lessThan": "2.6.37", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"}, {"url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"}, {"url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"}], "title": "ALSA: aloop: Fix racy access at PCM trigger", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable->lock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nALSA: aloop: Corrige el acceso con condiciones de carrera en el disparador PCM\n\nLa funci\u00f3n de devoluci\u00f3n de llamada del disparador PCM del controlador aloop intenta verificar el estado de PCM y detener el flujo del subflujo vinculado en el cable correspondiente. Dado que tanto las operaciones de verificaci\u00f3n como las de detenci\u00f3n se realizan fuera del bloqueo del cable, esto puede resultar en UAF cuando un programa intenta disparar frecuentemente mientras abre/cierra el flujo vinculado, como detectaron los fuzzers.\n\nPara abordar el UAF, este parche cambia dos cosas:\n- Cubre la mayor parte del c\u00f3digo en loopback_check_format() con el spinlock cable->lock, y a\u00f1ade las comprobaciones de NULL adecuadas. Esto ya evita algunos accesos con condiciones de carrera.\n- Adem\u00e1s, ahora intentamos verificar el estado del flujo PCM de captura que puede ser detenido en esta funci\u00f3n, lo cual era el principal punto problem\u00e1tico que conduc\u00eda al UAF."}], "id": "CVE-2026-23191", "lastModified": "2026-02-18T17:52:22.253", "metrics": {}, "published": "2026-02-14T17:15:56.917", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ALSA: aloop: Fix racy access at PCM trigger", "id": "2439947", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439947"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nALSA: aloop: Fix racy access at PCM trigger\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\ncable->lock spinlock, and add the proper NULL checks. This avoids\nalready some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\nthat may be stopped in this function, which was the major pain point\nleading to UAF."], "name": "CVE-2026-23191", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23191\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23191\nhttps://lore.kernel.org/linux-cve-announce/2026021433-CVE-2026-23191-f990@gregkh/T"], "threat_severity": "Important"}

{"created": "2026-02-16T09:43:43.396725+00:00", "updated": "2026-02-16T09:43:43.396806+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}