CVE-2026-23191
Severity
7.0HIGH
EPSS
0.0%
top 96.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 14
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.
For addressing the UAF, this patch chan…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages3 packages
▶CVEListV5linux/linuxb1c73fc8e697eb73e23603e465e9af2711ed4183 — bad15420050db1803767e58756114800cce91ea4+3
Patches
🔴Vulnerability Details
3OSV▶
CVE-2026-23191: In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driv↗2026-02-14
GHSA▶
GHSA-x3gh-q355-f5px: In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop dr↗2026-02-14