SB20260507222 - Use-after-free in Linux kernel core oss



SB20260507222 - Use-after-free in Linux kernel core oss

Published: May 7, 2026

Security Bulletin ID SB20260507222
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Use-after-free (CVE-ID: CVE-2026-43126)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a use-after-free in the ALSA OSS mixer layer when handling OSS mixer accesses during device disconnection. A local user can trigger concurrent mixer control operations on a disconnecting sound card to cause a denial of service or execute arbitrary code.

The issue arises because pending kcontrol operation calls may not be caught while the device is being disconnected.


Remediation

Install update from vendor's website.