Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-43459— ASoC: soc-core: flush delayed work before removing DAIs and widgets

CVSS 7.3 · High EPSS 0.11% · P2

Possible ATT&CK Techniques 1AI

T1211 · Exploitation for Stealth

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinuxe894efef9ac7c10b7727798dcc711cccf07569f9< bf80a89da97285d9b877e0c6995e870d46b8025caffected
e894efef9ac7c10b7727798dcc711cccf07569f9< 3887e514978d28216246360b46a9cb534969eb5aaffected
e894efef9ac7c10b7727798dcc711cccf07569f9< 231568afbc0cd25b8fb2a94ebf9738eabe1cf007affected
e894efef9ac7c10b7727798dcc711cccf07569f9< 317a9298c54bb00319da73e5a7179f00e67fcbdfaffected
e894efef9ac7c10b7727798dcc711cccf07569f9< eab71e11ce2447c1e01809cbc11eab4234cf8dc8affected
e894efef9ac7c10b7727798dcc711cccf07569f9< 7d33e6140945482a07f8089ee86e13e02553ffdbaffected
e894efef9ac7c10b7727798dcc711cccf07569f9< c054f0607c8bb1b1aa529bc109e4149298a1cccdaffected
e894efef9ac7c10b7727798dcc711cccf07569f9< 95bc5c225513fc3c4ce169563fb5e3929fbb938baffected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43459

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ASoC: soc-core: flush delayed work before removing DAIs and widgets
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于ASoC soc-core组件在移除DAI和widget之前未刷新延迟工作,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux e894efef9ac7c10b7727798dcc711cccf07569f9 ~ bf80a89da97285d9b877e0c6995e870d46b8025c -
LinuxLinux 4.20 -

II. Public POCs for CVE-2026-43459

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43459

登录查看更多情报信息。

Patches & Fixes for CVE-2026-43459 (8)

Same Patch Batch · Linux · 2026-05-08 · 197 CVEs total

CVE-2026-433849.8 CRITICALnet/tcp-ao: Fix MAC comparison to be constant-time
CVE-2026-434149.8 CRITICALscsi: qla2xxx: Completely fix fcport double free
CVE-2026-433419.8 CRITICALnet/ipv6: ioam6: prevent schema length wraparound in trace fill
CVE-2026-433769.8 CRITICALksmbd: fix use-after-free by using call_rcu() for oplock_info
CVE-2026-433789.8 CRITICALsmb: server: fix use-after-free in smb2_open()
CVE-2026-434659.8 CRITICALnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
CVE-2026-433799.8 CRITICALksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
CVE-2026-433049.8 CRITICALlibceph: define and enforce CEPH_MAX_KEY_LEN
CVE-2026-434029.8 CRITICALkthread: consolidate kthread exit paths to prevent use-after-free
CVE-2026-433839.4 CRITICALnet/tcp-md5: Fix MAC comparison to be constant-time
CVE-2026-434079.1 CRITICALlibceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
CVE-2026-434069.1 CRITICALlibceph: prevent potential out-of-bounds reads in process_message_header()
CVE-2026-433348.8 HIGHBluetooth: SMP: force responder MITM requirements before building the pairing response
CVE-2026-433918.8 HIGHnsfs: tighten permission checks for handle opening
CVE-2026-433228.8 HIGHBluetooth: hci_sync: Fix UAF in le_read_features_complete
CVE-2026-432848.8 HIGHxfrm: esp: avoid in-place decrypt on shared skb frags
CVE-2026-434038.8 HIGHnsfs: tighten permission checks for ns iteration ioctls
CVE-2026-432918.3 HIGHnet: nfc: nci: Fix parameter validation for packet data
CVE-2026-434528.2 HIGHnetfilter: x_tables: guard option walkers against 1-byte tail reads
CVE-2026-433658.2 HIGHxfs: fix undersized l_iclog_roundoff values

Showing top 20 of 197 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-43459

No comments yet

Leave a comment