CVE-2026-46090

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: aloop: Fix peer runtime UAF during format-change stop<br /> <br /> loopback_check_format() may stop the capture side when playback starts<br /> with parameters that no longer match a running capture stream. Commit<br /> 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved<br /> the peer lookup under cable-&gt;lock, but the actual snd_pcm_stop() still<br /> runs after dropping that lock.<br /> <br /> A concurrent close can clear the capture entry from cable-&gt;streams[] and<br /> detach or free its runtime while the playback trigger path still holds a<br /> stale peer substream pointer.<br /> <br /> Keep a per-cable count of in-flight peer stops before dropping<br /> cable-&gt;lock, and make free_cable() wait for those stops before<br /> detaching the runtime. This preserves the existing behavior while<br /> making the peer runtime lifetime explicit.