CVE-2026-43437

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()<br /> <br /> In the drain loop, the local variable &amp;#39;runtime&amp;#39; is reassigned to a<br /> linked stream&amp;#39;s runtime (runtime = s-&gt;runtime at line 2157). After<br /> releasing the stream lock at line 2169, the code accesses<br /> runtime-&gt;no_period_wakeup, runtime-&gt;rate, and runtime-&gt;buffer_size<br /> (lines 2170-2178) — all referencing the linked stream&amp;#39;s runtime without<br /> any lock or refcount protecting its lifetime.<br /> <br /> A concurrent close() on the linked stream&amp;#39;s fd triggers<br /> snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()<br /> → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).<br /> No synchronization prevents kfree(runtime) from completing while the<br /> drain path dereferences the stale pointer.<br /> <br /> Fix by caching the needed runtime fields (no_period_wakeup, rate,<br /> buffer_size) into local variables while still holding the stream lock,<br /> and using the cached values after the lock is released.