Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Use-after-free in Linux kernel ALSA snd_pcm_drain() linked stream runtime handling

IdentifiersCVE-2026-43437CWE-416· Use After Free

CVE-2026-43437 is a local use-after-free vulnerability in the Linux kernel ALSA PCM subsystem, specifically in snd_pcm_drain(). In the vulnerable drain loop, the local variable runtime is reassigned to a linked stream's runtime (runtime = s->runtime). After the stream lock is released, the code dereferences fields from that linked runtime, including no_period_wakeup, rate, and buffer_size, without any lock or reference protecting the lifetime of the linked runtime object. A concurrent close() on the linked stream's file descriptor can execute snd_pcm_release_substream() -> snd_pcm_drop() -> pcm_release_private() -> snd_pcm_unlink() -> snd_pcm_detach_substream() -> kfree(runtime), freeing the runtime while snd_pcm_drain() still holds and uses the stale pointer. The fix caches the required runtime fields into local variables while the stream lock is still held and uses those cached values after unlocking, eliminating the stale dereference.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a local attacker with low privileges to trigger a kernel memory-safety violation in ALSA PCM handling. Because the flaw is a kernel-space use-after-free, impact can include kernel crash or denial of service, memory corruption, and potentially escalation to arbitrary code execution in kernel context. Available scoring information indicates high confidentiality, integrity, and availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting local access to systems, restricting untrusted users from interacting with ALSA PCM devices and linked-stream functionality, and minimizing availability of audio device access inside shared or multi-tenant environments. Because the attack vector is local and requires interaction with vulnerable kernel ALSA paths, hardening local account access and container/device passthrough policies may reduce risk. No complete mitigation short of applying the kernel fix is currently available from the provided information.

Remediation

Patch, then assume compromise.

Apply a Linux kernel update that includes the ALSA PCM fix for CVE-2026-43437. The upstream remediation is to modify snd_pcm_drain() so that no_period_wakeup, rate, and buffer_size are copied from the linked stream runtime into local variables before releasing the stream lock, and only the cached values are used afterward. Vendor advisories indicate fixes have been shipped in multiple SUSE kernel updates; affected systems should be updated to the vendor-provided patched kernel build and rebooted.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

8 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43437
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43437
MITRE CWE · CWE-416
Use After Free
Patch
git.kernel.org/stable/c/4a758e9a1f5ed722f83c4dd35f867fe811553bcb
Patch
git.kernel.org/stable/c/629cf09464cf98670996ea5c191dc9743e6f3f00
Patch
git.kernel.org/stable/c/9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6
Patch
git.kernel.org/stable/c/9baee36e8c5443411c4629afabafaff8a46a23fd
Patch
git.kernel.org/stable/c/ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432
Patch
git.kernel.org/stable/c/c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694
Patch
git.kernel.org/stable/c/fc71f888994569f87d5bee20b1ac6c9c1e3a7a79