CVE-2026-23191
Published: 14 February 2026
Summary
CVE-2026-23191 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-23191 is a use-after-free (UAF) vulnerability, classified under CWE-416, in the Linux kernel's ALSA aloop driver. The issue arises in the PCM trigger callback, where racy access occurs outside the cable lock when checking the PCM state and stopping the stream of a tied substream. This can lead to UAF during frequent trigger operations while opening or closing the tied stream, as detected by fuzzers. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by rapidly triggering PCM operations on the aloop device while manipulating tied substreams through open/close cycles. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or system crashes within the kernel context.
The referenced kernel patches mitigate the issue by protecting most of the loopback_check_format() code with the cable->lock spinlock, adding NULL checks to prevent racy accesses, and verifying the state of the capture PCM stream to address the primary UAF trigger. Security practitioners should apply the stable kernel commits at https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e, https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f, and https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4 to affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6109
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in…
more
the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in ALSA driver directly enables privilege escalation via arbitrary code execution from low-privileged context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the UAF vulnerability in the ALSA aloop driver by requiring timely identification, reporting, and application of the specified kernel patches.
Mitigates exploitation of the UAF race condition through kernel memory protections such as non-executable stacks and data execution prevention.
Reduces attack surface by disabling the non-essential aloop loopback driver, preventing exposure to the PCM trigger race condition.