SB20260507222 - Use-after-free in Linux kernel core oss
Published: May 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Use-after-free (CVE-ID: CVE-2026-43126)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a use-after-free in the ALSA OSS mixer layer when handling OSS mixer accesses during device disconnection. A local user can trigger concurrent mixer control operations on a disconnecting sound card to cause a denial of service or execute arbitrary code.
The issue arises because pending kcontrol operation calls may not be caught while the device is being disconnected.
Remediation
Install update from vendor's website.