MEDIUM 5.5

CVE-2026-46262: Linux Kernel fsl_xcvr Audio Driver Deadlock Vulnerability

A deadlock vulnerability exists in the Linux kernel's audio subsystem (ASoC fsl_xcvr driver) where a recent locking fix introduced the opposite problem: the code attempts to re-acquire a lock that is already held by the calling function, causing the system to hang. When a user adjusts audio control settings through ALSA, the kernel deadlocks instead of safely updating the configuration.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-667
Affected products
7 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put() This reverts commit f51424872760 ("ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()"). The original patch attempted to acquire the card->controls_rwsem lock in fsl_xcvr_mode_put(). However, this function is called from the upper ALSA core function snd_ctl_elem_write(), which already holds the write lock on controls_rwsem for the whole put operation. So there is no need to simply hold the lock for fsl_xcvr_activate_ctl() again. Acquiring the read lock while holding the write lock in the same thread results in a deadlock and a hung task, as reported by Alexander Stein.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46262 addresses a lock re-entrancy issue in fsl_xcvr_mode_put(), a handler for audio control parameter changes in the Freescale XCVR audio transceiver driver. A prior patch (commit f51424872760) added a call to acquire card->controls_rwsem in read mode within fsl_xcvr_mode_put(). However, the caller—snd_ctl_elem_write() in the ALSA core—already holds the write lock on controls_rwsem. Attempting to acquire a read lock while holding the write lock in the same thread triggers a deadlock condition, manifesting as a hung task. The vulnerability is classified under CWE-667 (improper locking), and resolution requires reverting the problematic lock acquisition call.

Business impact

Systems running affected Linux kernel versions experience audio subsystem failures when users attempt to modify XCVR audio control parameters. This results in hung tasks and potential system instability, particularly on embedded and automotive platforms that rely on Freescale XCVR hardware. Services dependent on audio functionality become unresponsive, and in some environments, the hung task may trigger watchdog timeouts leading to unplanned reboots.

Affected systems

The vulnerability affects the Linux kernel across all branches where the problematic commit f51424872760 was applied. This impacts systems using Freescale/NXP XCVR audio transceiver hardware, commonly found in embedded systems, automotive head units, and IoT devices. Desktop and server systems without fsl_xcvr hardware are unaffected by this specific issue. The ASoC subsystem is kernel-mode only, so exploitation requires local access to audio control configuration.

Exploitability

Exploitability is limited. The vulnerability requires local access to the system and the ability to trigger ALSA audio control writes—typically available to unprivileged local users. A standard user can cause the deadlock by modifying audio settings through normal audio configuration utilities (e.g., amixer, pulseaudio, ALSA control applications). No network access or privilege escalation is necessary. However, this is a Denial of Service mechanism rather than a code execution or privilege escalation vector. The CVSS score of 5.5 (MEDIUM) reflects high availability impact but low confidentiality and integrity risk.

Remediation

Apply the kernel security update that reverts commit f51424872760. The fix removes the problematic lock acquisition call in fsl_xcvr_mode_put(), trusting the ALSA core's existing locking semantics. Systems should upgrade to a patched kernel version provided by their Linux distribution or vendor. For distributions, verify the kernel version that includes this fix against the vendor advisory.

Patch guidance

Check your kernel version against your Linux distribution's security advisory for CVE-2026-46262. Most distributions (Red Hat, Debian, Ubuntu, SUSE, etc.) will provide updated kernel packages. Apply the update through your standard package management system (yum, apt, zypper, etc.). For custom or self-compiled kernels, apply the revert patch or ensure commit f51424872760 is not present in your kernel tree. Recompile and reboot to activate the fix. Verify the patch is applied by checking that fsl_xcvr_mode_put() does not explicitly call down_read() on controls_rwsem.

Detection guidance

Monitor system logs for 'task hung' or 'RCU stall' messages in dmesg output, particularly those referencing audio or ALSA subsystems. Use kernel tracing tools (ftrace, SystemTap) to capture lock contention in the fsl_xcvr and ALSA core drivers. If you suspect the vulnerability, attempt to reproduce by running 'amixer set' commands on XCVR controls; a hung process is diagnostic. For proactive detection on running systems, audit running kernel version against known-vulnerable releases from your vendor. Tools like 'uname -r' and distribution-specific version queries establish baseline compliance.

Why prioritize this

Prioritize this vulnerability for systems using Freescale XCVR hardware in production audio or automotive applications where availability is critical. The local-only attack vector and requirement for active audio control changes limit enterprise data center risk but increase risk for embedded/IoT deployments. The MEDIUM CVSS score and high availability impact make this a standard-priority patch for affected product lines; defer only if audio hardware is disabled or unused. Enterprises without fsl_xcvr deployments may deprioritize in favor of higher-severity vulnerabilities.

Risk score, explained

CVSS 3.1 score of 5.5 (MEDIUM) reflects: Attack Vector Local (L) and Attack Complexity Low (L)—any local user can trigger via standard ALSA tools; Privileges Required (L)—unprivileged user; User Interaction None (N); Scope Unchanged; Confidentiality None (N); Integrity None (N); Availability High (H)—the deadlock halts audio subsystem and can hang the kernel. The score appropriately weights the DoS severity against the limited attack scope and zero impact to data confidentiality or integrity.

Frequently asked questions

Does this affect all Linux systems?

No. Only systems running the Linux kernel with Freescale XCVR audio hardware are affected. The vulnerability is specific to the fsl_xcvr driver. Desktop, server, and embedded systems without this hardware are unaffected. Check your hardware documentation or dmesg output for 'fsl_xcvr' references to confirm exposure.

Can this be exploited remotely?

No. The vulnerability requires local access to the system and the ability to invoke ALSA audio control commands. Remote users cannot trigger the deadlock. It is a local Denial of Service mechanism only.

What happens if I update my kernel?

Once you apply the patched kernel and reboot, the lock revert eliminates the deadlock condition. Audio control operations will function normally. No additional configuration changes are needed.

Is there a workaround if I cannot patch immediately?

If you cannot update immediately and require system availability, disable XCVR audio controls or unload the fsl_xcvr kernel module (if your system supports graceful unloading without critical dependency). However, patching is the recommended and permanent solution. Contact your vendor for interim guidance if audio functionality is non-negotiable.

This analysis is based on the published CVE record and kernel commit details available as of the stated publication date. Patch version numbers and availability vary by Linux distribution; verify specific update versions against your vendor's security advisory. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. No public exploit code is known at the time of publication. Security teams should validate their environment's specific exposure based on hardware inventory and kernel version audits. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).