CVE-2026-46262: Linux Kernel fsl_xcvr Audio Driver Deadlock Vulnerability
A deadlock vulnerability exists in the Linux kernel's audio subsystem (ASoC fsl_xcvr driver) where a recent locking fix introduced the opposite problem: the code attempts to re-acquire a lock that is already held by the calling function, causing the system to hang. When a user adjusts audio control settings through ALSA, the kernel deadlocks instead of safely updating the configuration.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-667
- Affected products
- 7 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put() This reverts commit f51424872760 ("ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()"). The original patch attempted to acquire the card->controls_rwsem lock in fsl_xcvr_mode_put(). However, this function is called from the upper ALSA core function snd_ctl_elem_write(), which already holds the write lock on controls_rwsem for the whole put operation. So there is no need to simply hold the lock for fsl_xcvr_activate_ctl() again. Acquiring the read lock while holding the write lock in the same thread results in a deadlock and a hung task, as reported by Alexander Stein.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46262 addresses a lock re-entrancy issue in fsl_xcvr_mode_put(), a handler for audio control parameter changes in the Freescale XCVR audio transceiver driver. A prior patch (commit f51424872760) added a call to acquire card->controls_rwsem in read mode within fsl_xcvr_mode_put(). However, the caller—snd_ctl_elem_write() in the ALSA core—already holds the write lock on controls_rwsem. Attempting to acquire a read lock while holding the write lock in the same thread triggers a deadlock condition, manifesting as a hung task. The vulnerability is classified under CWE-667 (improper locking), and resolution requires reverting the problematic lock acquisition call.
Business impact
Systems running affected Linux kernel versions experience audio subsystem failures when users attempt to modify XCVR audio control parameters. This results in hung tasks and potential system instability, particularly on embedded and automotive platforms that rely on Freescale XCVR hardware. Services dependent on audio functionality become unresponsive, and in some environments, the hung task may trigger watchdog timeouts leading to unplanned reboots.
Affected systems
The vulnerability affects the Linux kernel across all branches where the problematic commit f51424872760 was applied. This impacts systems using Freescale/NXP XCVR audio transceiver hardware, commonly found in embedded systems, automotive head units, and IoT devices. Desktop and server systems without fsl_xcvr hardware are unaffected by this specific issue. The ASoC subsystem is kernel-mode only, so exploitation requires local access to audio control configuration.
Exploitability
Exploitability is limited. The vulnerability requires local access to the system and the ability to trigger ALSA audio control writes—typically available to unprivileged local users. A standard user can cause the deadlock by modifying audio settings through normal audio configuration utilities (e.g., amixer, pulseaudio, ALSA control applications). No network access or privilege escalation is necessary. However, this is a Denial of Service mechanism rather than a code execution or privilege escalation vector. The CVSS score of 5.5 (MEDIUM) reflects high availability impact but low confidentiality and integrity risk.
Remediation
Apply the kernel security update that reverts commit f51424872760. The fix removes the problematic lock acquisition call in fsl_xcvr_mode_put(), trusting the ALSA core's existing locking semantics. Systems should upgrade to a patched kernel version provided by their Linux distribution or vendor. For distributions, verify the kernel version that includes this fix against the vendor advisory.
Patch guidance
Check your kernel version against your Linux distribution's security advisory for CVE-2026-46262. Most distributions (Red Hat, Debian, Ubuntu, SUSE, etc.) will provide updated kernel packages. Apply the update through your standard package management system (yum, apt, zypper, etc.). For custom or self-compiled kernels, apply the revert patch or ensure commit f51424872760 is not present in your kernel tree. Recompile and reboot to activate the fix. Verify the patch is applied by checking that fsl_xcvr_mode_put() does not explicitly call down_read() on controls_rwsem.
Detection guidance
Monitor system logs for 'task hung' or 'RCU stall' messages in dmesg output, particularly those referencing audio or ALSA subsystems. Use kernel tracing tools (ftrace, SystemTap) to capture lock contention in the fsl_xcvr and ALSA core drivers. If you suspect the vulnerability, attempt to reproduce by running 'amixer set' commands on XCVR controls; a hung process is diagnostic. For proactive detection on running systems, audit running kernel version against known-vulnerable releases from your vendor. Tools like 'uname -r' and distribution-specific version queries establish baseline compliance.
Why prioritize this
Prioritize this vulnerability for systems using Freescale XCVR hardware in production audio or automotive applications where availability is critical. The local-only attack vector and requirement for active audio control changes limit enterprise data center risk but increase risk for embedded/IoT deployments. The MEDIUM CVSS score and high availability impact make this a standard-priority patch for affected product lines; defer only if audio hardware is disabled or unused. Enterprises without fsl_xcvr deployments may deprioritize in favor of higher-severity vulnerabilities.
Risk score, explained
CVSS 3.1 score of 5.5 (MEDIUM) reflects: Attack Vector Local (L) and Attack Complexity Low (L)—any local user can trigger via standard ALSA tools; Privileges Required (L)—unprivileged user; User Interaction None (N); Scope Unchanged; Confidentiality None (N); Integrity None (N); Availability High (H)—the deadlock halts audio subsystem and can hang the kernel. The score appropriately weights the DoS severity against the limited attack scope and zero impact to data confidentiality or integrity.
Frequently asked questions
Does this affect all Linux systems?
No. Only systems running the Linux kernel with Freescale XCVR audio hardware are affected. The vulnerability is specific to the fsl_xcvr driver. Desktop, server, and embedded systems without this hardware are unaffected. Check your hardware documentation or dmesg output for 'fsl_xcvr' references to confirm exposure.
Can this be exploited remotely?
No. The vulnerability requires local access to the system and the ability to invoke ALSA audio control commands. Remote users cannot trigger the deadlock. It is a local Denial of Service mechanism only.
What happens if I update my kernel?
Once you apply the patched kernel and reboot, the lock revert eliminates the deadlock condition. Audio control operations will function normally. No additional configuration changes are needed.
Is there a workaround if I cannot patch immediately?
If you cannot update immediately and require system availability, disable XCVR audio controls or unload the fsl_xcvr kernel module (if your system supports graceful unloading without critical dependency). However, patching is the recommended and permanent solution. Contact your vendor for interim guidance if audio functionality is non-negotiable.
This analysis is based on the published CVE record and kernel commit details available as of the stated publication date. Patch version numbers and availability vary by Linux distribution; verify specific update versions against your vendor's security advisory. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. No public exploit code is known at the time of publication. Security teams should validate their environment's specific exposure based on hardware inventory and kernel version audits. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46156MEDIUMLinux Kernel Loongson GPU Driver ADE Panic on Loongarch
- CVE-2026-46165MEDIUMLinux Kernel Open vSwitch Vport Deadlock Denial of Service
- CVE-2026-46223MEDIUMLinux Kernel Cgroup Deadlock During Container Teardown
- CVE-2026-46252MEDIUMLinux Kernel Regulator Locking Vulnerability
- CVE-2026-46256MEDIUMLinux NFS LOCALIO Recursion Deadlock Vulnerability
- CVE-2026-46112HIGHLinux HNS RDMA Driver Locking Bug Enables Local Privilege Escalation
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout