{
  "threat_severity" : "Important",
  "public_date" : "2026-05-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ALSA: aloop: Fix peer runtime UAF during format-change stop",
    "id" : "2481980",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2481980"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-364",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nALSA: aloop: Fix peer runtime UAF during format-change stop\nloopback_check_format() may stop the capture side when playback starts\nwith parameters that no longer match a running capture stream. Commit\n826af7fa62e3 (\"ALSA: aloop: Fix racy access at PCM trigger\") moved\nthe peer lookup under cable->lock, but the actual snd_pcm_stop() still\nruns after dropping that lock.\nA concurrent close can clear the capture entry from cable->streams[] and\ndetach or free its runtime while the playback trigger path still holds a\nstale peer substream pointer.\nKeep a per-cable count of in-flight peer stops before dropping\ncable->lock, and make free_cable() wait for those stops before\ndetaching the runtime. This preserves the existing behavior while\nmaking the peer runtime lifetime explicit.", "A flaw was found in the Linux kernel's ALSA (Advanced Linux Sound Architecture) aloop driver. This Use-After-Free (UAF) vulnerability occurs when loopback_check_format() stops the capture side during a format change, while a concurrent close operation detaches or frees the runtime. An attacker could potentially exploit this to cause a system crash or achieve arbitrary code execution." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-19T00:00:00Z",
    "advisory" : "RHSA-2026:27354",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.136.1.rt7.477.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-19T00:00:00Z",
    "advisory" : "RHSA-2026:27353",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.136.1.el8_10"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Under investigation",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46090\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46090\nhttps://lore.kernel.org/linux-cve-announce/2026052702-CVE-2026-46090-1211@gregkh/T" ],
  "name" : "CVE-2026-46090",
  "csaw" : false
}