CVE-2026-53242
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
A vulnerability in the Linux kernel's ALSA PCM driver was found where snd_pcm_drain() can corrupt wait queues when operating on linked streams. The flaw stems from improper wait entry management, potentially leading to a NULL pointer dereference and kernel panic.
Risk Assessment
A local attacker could exploit this vulnerability to cause a kernel panic (DoS), disrupting system operation. The risk is particularly relevant in multi-tenant environments or when using advanced audio features.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit addressing the issue). For production systems, apply the security patch after thorough testing.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic. Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases.

