HIGH 7.8

CVE-2026-46157

A concurrency bug exists in the Linux kernel's ALSA (Advanced Linux Sound Architecture) OSS (Open Sound System) compatibility layer. When multiple processes try to access and modify the trigger control bit simultaneously, the kernel lacks proper synchronization, allowing writes to corrupt not just the intended trigger flag but adjacent bit fields in memory. This confusion can destabilize audio subsystem behavior. The vulnerability requires local access and privileges to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362
Affected products
7 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race. And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing. Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a data race in the ALSA PCM OSS subsystem affecting the runtime.oss.trigger bit field. Without mutual exclusion, concurrent access to this field by snd_pcm_oss_get_trigger() and snd_pcm_oss_poll() can cause non-atomic writes that overwrite adjacent bit fields. Since bit fields in C can share underlying storage, unsynchronized modifications corrupt related state, leading to undefined behavior in PCM operation control. The fix involves protecting both access paths with the existing params_lock mutex to serialize all reads and writes to the trigger bit.

Business impact

Exploitation could disrupt audio services on affected Linux systems, potentially affecting voice communication, streaming applications, conferencing platforms, and any workload relying on PCM audio playback or recording. On systems where audio is critical to business operations—such as VoIP infrastructure, real-time media servers, or containerized audio processing—successful exploitation may cause denial of service. The local privilege requirement limits blast radius to authenticated users or compromised processes running with at least standard user permissions.

Affected systems

This vulnerability affects the Linux kernel across all distributions and versions where the ALSA PCM OSS subsystem is compiled in and in use. The bug is in core kernel code, so any Linux system with ALSA and OSS support enabled is potentially vulnerable until patched. Embedded devices, IoT systems, and server platforms running vulnerable kernel versions are all in scope. Verify your kernel version and ALSA configuration against your vendor's advisory for definitive affected version ranges.

Exploitability

Exploitation requires local system access and at least unprivileged user-level privileges. An attacker would need to trigger rapid concurrent access to ALSA PCM OSS interfaces—feasible through multi-threaded or multi-process abuse of audio-related syscalls. No network vector exists. The vulnerability is unlikely to be weaponized for widespread remote exploitation due to local-only access requirement, but it poses material risk in multi-tenant or high-concurrency audio environments. The CVSS 7.8 HIGH score reflects confidentiality, integrity, and availability impact under local attack conditions.

Remediation

Apply kernel security updates from your Linux distribution as soon as they become available. The fix requires recompiling and redeploying the kernel with the patch applied, followed by a reboot to activate the corrected code. Organizations should prioritize patching systems where ALSA OSS is actively used, particularly audio servers, containerized environments, and user-facing systems. Verify patch availability via your vendor's security advisory.

Patch guidance

Monitor your Linux distributor's security bulletins and kernel release notes for updates addressing CVE-2026-46157. Test patches in a non-production environment first to confirm audio subsystem stability and compatibility with dependent applications. Once validated, schedule kernel updates during maintenance windows that accommodate service restarts. Confirm the updated kernel is running post-reboot by checking /proc/version or uname output. If OSS is not required for your workloads, disabling ALSA OSS support at compile time or via kernel parameters may be an interim control.

Detection guidance

Monitor system logs for ALSA or audio-related warnings, crashes, or anomalous behavior following concurrent audio operations. Tools like kernel memory debuggers (KASAN, if available in your build) may flag the race condition during testing. Endpoint detection should flag unusual patterns of repeated audio subsystem access or PCM device polling by non-standard processes. Network-based detection is not applicable since this is a local kernel vulnerability; focus on behavioral and log-based signals indicating audio subsystem abuse.

Why prioritize this

Despite its local-only nature, the HIGH severity (CVSS 7.8) reflects significant impact: the bug corrupts adjacent kernel state, potentially affecting system stability and confidentiality. Organizations running audio workloads or multi-tenant systems with untrusted users should prioritize this patch. It is not currently in the KEV list, but that does not reduce the technical risk. Combine threat modeling with asset inventory: prioritize any system where ALSA OSS is actively used or where local privilege escalation chains could amplify impact.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) is assigned because: (1) Attack Vector is Local, reflecting the access requirement; (2) Attack Complexity is Low, indicating straightforward concurrent access triggers the flaw; (3) Privileges Required is Low, meaning standard users can exploit it; (4) User Interaction is None; (5) Scope is Unchanged; (6) Confidentiality, Integrity, and Availability are all rated High, as bit field corruption can leak kernel memory, corrupt audio state, and crash the subsystem. The score appropriately balances local-only access against high-impact effects on system state and availability.

Frequently asked questions

Do I need to patch this if I do not use ALSA audio?

If your Linux system has ALSA PCM OSS compiled out or disabled, you are not vulnerable. Check your kernel config and running kernel parameters. Many server distributions disable OSS by default, but verification is essential. When in doubt, apply patches as part of routine security maintenance.

Can this vulnerability be triggered over the network?

No. The vulnerability requires local system access and the ability to execute code or syscalls with at least unprivileged user privileges. It cannot be exploited remotely across a network without first compromising local access.

Will this cause data loss or corrupt audio files?

The data race affects the in-kernel trigger state machine, not persistent audio files on disk. However, it can cause audio playback or recording to malfunction, resulting in lost or garbled audio within a session. Restarting the audio application or system typically recovers normal operation after the kernel is patched.

How do I know if my kernel is vulnerable?

Check your kernel version against your Linux vendor's security advisory for CVE-2026-46157. Most distributions will provide a specific fixed version number. You can also verify whether ALSA OSS support is enabled in your running kernel by checking for OSS devices (e.g., /dev/dsp) or querying kernel config if available. If in doubt, apply the patch during your next maintenance window.

This analysis is provided for informational purposes and reflects vulnerability intelligence current as of the publication date. All CVSS scores, affected versions, and patch guidance are sourced from official vendor advisories; verify against your Linux distributor's security bulletins before implementing any remediation. No exploit code or proof-of-concept instructions are provided. Organizations should conduct their own risk assessment, testing, and validation in accordance with their security policies and operational requirements. SEC.co and its authors make no warranty regarding the completeness or accuracy of this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-10006HIGH

    CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution

  • CVE-2026-10940HIGH

    CVE-2026-10940: Chrome Windows Sandbox Escape via Codec Race Condition

  • CVE-2026-10565LOW

    CVE-2026-10565: Race Condition in Open5GS NGAP Handover Affects 5G Service Continuity

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)

  • CVE-2026-10009HIGH

    CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance