Cyber Resilience

CVE-2026-23191

High

Published: 14 February 2026

Published
14 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23191 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-23191 is a use-after-free (UAF) vulnerability, classified under CWE-416, in the Linux kernel's ALSA aloop driver. The issue arises in the PCM trigger callback, where racy access occurs outside the cable lock when checking the PCM state and stopping the stream of a tied substream. This can lead to UAF during frequent trigger operations while opening or closing the tied stream, as detected by fuzzers. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by rapidly triggering PCM operations on the aloop device while manipulating tied substreams through open/close cycles. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system crashes within the kernel context.

The referenced kernel patches mitigate the issue by protecting most of the loopback_check_format() code with the cable->lock spinlock, adding NULL checks to prevent racy accesses, and verifying the state of the capture PCM stream to address the primary UAF trigger. Security practitioners should apply the stable kernel commits at https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e, https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f, and https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4 to affected systems.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in…

more

the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in ALSA driver directly enables privilege escalation via arbitrary code execution from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 2.6.37 — 6.12.70 · 6.13 — 6.18.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the UAF vulnerability in the ALSA aloop driver by requiring timely identification, reporting, and application of the specified kernel patches.

prevent

Mitigates exploitation of the UAF race condition through kernel memory protections such as non-executable stacks and data execution prevention.

prevent

Reduces attack surface by disabling the non-essential aloop loopback driver, preventing exposure to the PCM trigger race condition.

References