MEDIUM 5.5

CVE-2026-46143

CVE-2026-46143 is a memory leak vulnerability in the Linux kernel's QCOM audio subsystem. The issue occurs in the ASoC (ALSA System on Chip) driver for QCOM Q6APM LPASS audio interfaces, where the prepare function can be invoked multiple times. Each invocation opens a new graph for the playback path without checking if one is already open, resulting in cumulative resource exhaustion. While the vulnerability requires local access and low-privilege execution context, the impact is availability disruption through memory exhaustion.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-401
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens As prepare can be called mulitple times, this can result in multiple graph opens for playback path. This will result in a memory leaks, fix this by adding a check before opening.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the q6apm-lpass-dai driver (part of the Linux kernel's sound subsystem) where the prepare callback lacks idempotency checks. When prepare() is called repeatedly—a normal occurrence during audio stream state transitions—it unconditionally opens a new graph object for the playback data path. The underlying graph management code does not deduplicatate or prevent redundant opens, causing orphaned file handles and heap allocations to accumulate. The CWE-401 classification (Missing Release of Memory after Effective Lifetime) accurately describes the root cause: allocated graph resources are never freed when subsequent opens occur without corresponding closes. Local attackers or unprivileged applications can trigger this by repeatedly starting and stopping audio playback, degrading system performance or causing out-of-memory conditions.

Business impact

For organizations operating Linux systems with QCOM Snapdragon platforms (typically Android devices, embedded systems, and IoT edge devices), this vulnerability creates an availability risk. Legitimate audio applications or malicious local code can exhaust memory reserves, degrading device responsiveness, interrupting voice calls, or forcing reboots. On multi-tenant edge compute or containerized deployments, a compromised workload could starve neighboring processes. The low privilege requirement and local-only access vector limit blast radius, but affected device fleets will require coordinated patching to restore stability.

Affected systems

The vulnerability affects the Linux kernel with the QCOM audio subsystem enabled. This is most prevalent in Android devices using Snapdragon SoCs and embedded Linux distributions running audio-capable QCOM silicon. Devices must have CONFIG_SND_SOC_QCOM_APM_LPASS_DAI enabled in their kernel configuration. Desktop and server Linux systems typically do not include this audio subsystem driver, unless running specialized audio workstations or development boards based on QCOM platforms.

Exploitability

Exploitation requires local access and the ability to execute code with unprivileged user privileges (the CVSS vector specifies PR:L, UI:N). An attacker does not need special permissions but must reside on or have a login session to the affected system. The attack is highly practical: simply opening and closing audio streams repeatedly triggers the leak. No special tools or kernel exploits are required. However, the attack is not remotely exploitable, limiting real-world risk for internet-connected systems where local access is already a prerequisite for compromise. The lack of user interaction requirement (UI:N) means background or automated processes can trigger the condition.

Remediation

The fix involves adding a pre-check in the prepare() callback to verify whether a graph is already open for the playback path before attempting to open a new one. If a graph is already active, the function returns early without allocating new resources. This idempotent pattern is a standard defensive measure for callbacks that may be invoked multiple times during state transitions. Verify the specific patch version against your kernel release line through the Linux kernel upstream repository or your distribution's advisory.

Patch guidance

Users should apply the Linux kernel security patch when released by their distribution (Red Hat, Canonical, SUSE, etc.) or compile directly from linux-next or stable branches after the fix is merged upstream. For Android devices, wait for OTA updates from the device manufacturer or carrier that incorporate the patched kernel. The timeline depends on your kernel track: mainline Linux typically patches quickly, while Android devices may lag 1-3 months behind upstream fixes. Verify the patch resolves the missing graph-open check in the q6apm-lpass-dai prepare function. Intermediate mitigations are limited; disabling audio subsystem usage is not practical for user-facing devices.

Detection guidance

Monitor affected systems for signs of memory exhaustion: sustained high memory utilization, frequent out-of-memory killer activations (check /var/log/messages or kernel logs for OOM events), or audio service crashes and restarts. On Android, look for repeated crashes of audio services or the system_server process. Network-based detection is not applicable due to the local-only nature. If dynamic analysis is feasible, instrument the kernel with tracepoints on prepare() calls to detect rapid, repetitive invocations without intervening closes. Valgrind or similar memory sanitizers can identify leaked allocations in audio driver code paths during testing.

Why prioritize this

This vulnerability merits prompt patching due to its straightforward exploitability and clear availability impact. While the CVSS score of 5.5 reflects the local-only access requirement, the practical ease of triggering memory exhaustion and the lack of user interaction barriers make it a tangible operational risk. Organizations with significant QCOM-based device deployments—particularly in voice, IoT, or edge settings—should prioritize this update. The absence of public exploit code or KEV tracking suggests limited active exploitation, but the long timeline between upstream fix and device OTA means early patching provides proactive protection.

Risk score, explained

The CVSS:3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields a score of 5.5 (MEDIUM). The score reflects: (1) local-only attack vector (AV:L) eliminating remote exploitability; (2) low attack complexity (AC:L) indicating no special conditions are needed; (3) low privilege requirement (PR:L) allowing any user; (4) no user interaction required (UI:N) enabling automated attacks; (5) no confidentiality or integrity impact (C:N, I:N); and (6) high availability impact (A:H) from memory exhaustion. The overall MEDIUM rating appropriately signals a real but bounded risk: serious for local attackers and system stability, but not critical given the local-only scope.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The attack vector is local-only (AV:L in the CVSS vector). An attacker must have a local presence on the affected system, such as a user account, shell access, or a running application. Internet-based remote exploitation is not possible.

What audio platforms are affected?

The vulnerability is specific to the QCOM Q6APM LPASS audio subsystem driver used in Snapdragon-based devices. This primarily affects Android smartphones and tablets, QCOM-based IoT edge devices, and embedded Linux systems running this audio hardware. Conventional desktop and server Linux systems without this driver are not affected.

Is there a simple workaround until patches are available?

Practical workarounds are limited. Disabling audio entirely is not feasible for consumer devices. On development or test systems, you could limit audio subsystem use or restart the audio service periodically to flush memory. For production deployments, applying the official patch through your distribution or device manufacturer is the recommended approach.

How does this memory leak manifest to end users?

Users may experience device slowdowns, audio stuttering or service restarts, battery drain due to excessive memory pressure, or in severe cases, device reboots triggered by the kernel's out-of-memory killer. These symptoms are especially likely after prolonged audio usage or when running other memory-intensive applications concurrently.

This analysis is provided for informational purposes only and is not a substitute for official vendor advisories or detailed testing in your environment. CVSS scores, affected product lists, and patch versions are derived from authoritative sources and should be independently verified against your specific kernel release and device configuration. Security teams should conduct their own risk assessment considering their organizational context, device inventory, and threat model. No exploit code or weaponized proof-of-concept is provided herein. Always apply patches through official distribution channels and validate functionality before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities