{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23191", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.985Z", "datePublished": "2026-02-14T16:27:18.882Z", "dateUpdated": "2026-06-16T20:20:36.627Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:05.240Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable->lock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/drivers/aloop.c"], "versions": [{"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "bad15420050db1803767e58756114800cce91ea4", "status": "affected", "versionType": "git"}, {"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "5727ccf9d19ca414cb76d9b647883822e2789c2e", "status": "affected", "versionType": "git"}, {"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "826af7fa62e347464b1b4e0ba2fe19a92438084f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/drivers/aloop.c"], "versions": [{"version": "2.6.37", "status": "affected"}, {"version": "0", "lessThan": "2.6.37", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.37", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"}, {"url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"}, {"url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"}], "title": "ALSA: aloop: Fix racy access at PCM trigger", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-16T20:20:28.206628Z", "id": "CVE-2026-23191", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-16T20:20:36.627Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-16T20:20:28.206628Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-16T20:20:32.967Z"}}], "cna": {"title": "ALSA: aloop: Fix racy access at PCM trigger", "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "bad15420050db1803767e58756114800cce91ea4", "versionType": "git"}, {"status": "affected", "version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "5727ccf9d19ca414cb76d9b647883822e2789c2e", "versionType": "git"}, {"status": "affected", "version": "b1c73fc8e697eb73e23603e465e9af2711ed4183", "lessThan": "826af7fa62e347464b1b4e0ba2fe19a92438084f", "versionType": "git"}], "programFiles": ["sound/drivers/aloop.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.37"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.37", "versionType": "semver"}, {"status": "unaffected", "version": "6.12.70", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.18.10", "versionType": "semver", "lessThanOrEqual": "6.18.*"}, {"status": "unaffected", "version": "6.19", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["sound/drivers/aloop.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"}, {"url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"}, {"url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable->lock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12.70", "versionStartIncluding": "2.6.37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.18.10", "versionStartIncluding": "2.6.37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.19", "versionStartIncluding": "2.6.37"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:05.240Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23191", "state": "PUBLISHED", "dateUpdated": "2026-06-16T20:20:36.627Z", "dateReserved": "2026-01-13T15:37:45.985Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2026-02-14T16:27:18.882Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "57FD0C99-9777-4D7D-8B2A-229D38298229", "versionEndExcluding": "6.12.70", "versionStartIncluding": "2.6.37", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable->lock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nALSA: aloop: Corrige el acceso con condiciones de carrera en el disparador PCM\n\nLa funci\u00f3n de devoluci\u00f3n de llamada del disparador PCM del controlador aloop intenta verificar el estado de PCM y detener el flujo del subflujo vinculado en el cable correspondiente. Dado que tanto las operaciones de verificaci\u00f3n como las de detenci\u00f3n se realizan fuera del bloqueo del cable, esto puede resultar en UAF cuando un programa intenta disparar frecuentemente mientras abre/cierra el flujo vinculado, como detectaron los fuzzers.\n\nPara abordar el UAF, este parche cambia dos cosas:\n- Cubre la mayor parte del c\u00f3digo en loopback_check_format() con el spinlock cable->lock, y a\u00f1ade las comprobaciones de NULL adecuadas. Esto ya evita algunos accesos con condiciones de carrera.\n- Adem\u00e1s, ahora intentamos verificar el estado del flujo PCM de captura que puede ser detenido en esta funci\u00f3n, lo cual era el principal punto problem\u00e1tico que conduc\u00eda al UAF."}], "id": "CVE-2026-23191", "lastModified": "2026-04-03T14:16:26.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T17:15:56.917", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ALSA: aloop: Fix racy access at PCM trigger", "id": "2439947", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439947"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nALSA: aloop: Fix racy access at PCM trigger\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\ncable->lock spinlock, and add the proper NULL checks. This avoids\nalready some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\nthat may be stopped in this function, which was the major pain point\nleading to UAF."], "name": "CVE-2026-23191", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23191\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23191\nhttps://lore.kernel.org/linux-cve-announce/2026021433-CVE-2026-23191-f990@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,bad15420050db1803767e58756114800cce91ea4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5727ccf9d19ca414cb76d9b647883822e2789c2e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,826af7fa62e347464b1b4e0ba2fe19a92438084f)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.70,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T20:30:03.763827+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the latest ALSA loopback driver patches", "If an immediate kernel upgrade is not feasible, restrict access to the ALSA loopback device by adjusting udev rules or file permissions so that only trusted applications can trigger it", "Monitor the system for kernel crashes or abnormal audio driver behavior, and apply emergency kernel patches or roll back to a known stable release if instability occurs"], "summary": {"action": "Apply Patch", "impact": "Kernel use\u2011after\u2011free that could lead to local privilege escalation or denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds are affected until the patch that surrounds the critical code with a spin\u2011lock and adds null checks is applied. The patch appears in kernel 6.19 releases and backported to earlier releases. Devices running Linux kernels other than the patched versions expose the loopback driver to the race condition described above.", "description_and_impact": "The ALSA aloop driver in the Linux kernel contains a race between checking the PCM state and stopping a tied substream. Because these operations occur outside the cable lock, frequent trigger calls while the substream is opened or closed can lead to a use\u2011after\u2011free in the kernel. A use\u2011after\u2011free allows an attacker to corrupt kernel memory and may result in a crash or in the execution of arbitrary code with kernel privileges. The vulnerability is limited to the ALSA loopback device and requires the ability to trigger it, typically through a user\u2011space audio program.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% signals that the likelihood of exploitation is low at present. The vulnerability is local, requiring a program with access to the ALSA loopback device; it is not remotely exploitable. Because it is not listed in the CISA KEV catalog, there is no widespread evidence of active exploitation. Nevertheless, the potential for privilege escalation or service disruption warrants prompt mitigation."}}}}, "created": "2026-02-16T09:43:43.396725+00:00", "updated": "2026-04-15T20:30:13.783930+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}