CVE-2026-53242— ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-53242
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wait_queue with a conditional remove_wait_queue that is skipped when to_check is no longer in the group after concurrent UNLINK. The orphaned wait entry remains on the unlinked substream sleep queue. On the next drain iteration, add_wait_queue adds the entry to a new queue while still linked on the old one, corrupting both lists. A subsequent wake_up dereferences NULL at the func pointer (mapped from the spinlock at offset 0 of the misinterpreted wait_queue_head_t), causing a kernel panic. Replace init_waitqueue_entry/add_wait_queue/conditional remove_wait_queue with init_wait_entry/prepare_to_wait/ finish_wait. init_wait_entry clears prev/next via INIT_LIST_HEAD on each iteration and sets autoremove_wake_function which auto-removes the entry on wake-up. finish_wait safely handles both the already-removed and still-queued cases.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-53242
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-53242
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-53242 (1)
Other References for CVE-2026-53242 (6)
Same Patch Batch · Linux · 2026-06-25 · 147 CVEs total
| CVE-2026-53185 | zram: fix use-after-free in zram_bvec_write_partial() | |
| CVE-2026-53167 | fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios | |
| CVE-2026-53168 | fuse: reject fuse_notify() pagecache ops on directories | |
| CVE-2026-53169 | accel/ethosu: reject NPU_OP_RESIZE commands from userspace | |
| CVE-2026-53171 | accel/ethosu: fix arithmetic issues in dma_length() | |
| CVE-2026-53170 | accel/ethosu: reject DMA commands with uninitialized length | |
| CVE-2026-53172 | accel/ethosu: fix IFM region index out-of-bounds in command stream parser | |
| CVE-2026-53174 | ovl: keep err zero after successful ovl_cache_get() | |
| CVE-2026-53173 | accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() | |
| CVE-2026-53175 | inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush | |
| CVE-2026-53177 | bnxt_en: Fix NULL pointer dereference | |
| CVE-2026-53176 | IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN | |
| CVE-2026-53178 | staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction | |
| CVE-2026-53180 | timers/migration: Fix livelock in tmigr_handle_remote_up() | |
| CVE-2026-53179 | staging: rtl8723bs: fix buffer over-read in rtw_update_protection | |
| CVE-2026-53181 | vsock/vmci: fix sk_ack_backlog leak on failed handshake | |
| CVE-2026-53182 | wifi: nl80211: reject oversized EMA RNR lists | |
| CVE-2026-53183 | mptcp: allow subflow rcv wnd to shrink | |
| CVE-2026-53184 | udp: clear skb->dev before running a sockmap verdict | |
| CVE-2026-53196 | USB: serial: io_ti: fix heap overflow in get_manuf_info() |
Showing top 20 of 147 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
Same vendor: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
V. Comments for CVE-2026-53242
No comments yet