{"api_version":"1","generated_at":"2026-06-25T19:10:19+00:00","cve":"CVE-2026-53242","urls":{"html":"https://cve.report/CVE-2026-53242","api":"https://cve.report/api/cve/CVE-2026-53242.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53242","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53242"},"summary":{"title":"ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams\n\nsnd_pcm_drain() uses init_waitqueue_entry which does not clear\nentry.prev/next, and add_wait_queue with a conditional\nremove_wait_queue that is skipped when to_check is no longer\nin the group after concurrent UNLINK.  The orphaned wait entry\nremains on the unlinked substream sleep queue.  On the next\ndrain iteration, add_wait_queue adds the entry to a new queue\nwhile still linked on the old one, corrupting both lists.  A\nsubsequent wake_up dereferences NULL at the func pointer\n(mapped from the spinlock at offset 0 of the misinterpreted\nwait_queue_head_t), causing a kernel panic.\n\nReplace init_waitqueue_entry/add_wait_queue/conditional\nremove_wait_queue with init_wait_entry/prepare_to_wait/\nfinish_wait.  init_wait_entry clears prev/next via\nINIT_LIST_HEAD on each iteration and sets\nautoremove_wake_function which auto-removes the entry on\nwake-up.  finish_wait safely handles both the already-removed\nand still-queued cases.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:42","updated_at":"2026-06-25 09:16:42"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/d68b621bb5a48051932f1017a6e1bc9b18f854d0","name":"https://git.kernel.org/stable/c/d68b621bb5a48051932f1017a6e1bc9b18f854d0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7c71a9522555ff137a9ca36b15d759ca04d84788","name":"https://git.kernel.org/stable/c/7c71a9522555ff137a9ca36b15d759ca04d84788","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b053fcd8912f06c30f932f5b8ec41c72de474695","name":"https://git.kernel.org/stable/c/b053fcd8912f06c30f932f5b8ec41c72de474695","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cac5bf3500ee6422cf64e0df0b5daeecfed42917","name":"https://git.kernel.org/stable/c/cac5bf3500ee6422cf64e0df0b5daeecfed42917","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cd98837db15f323463b8df07282ac723bd5c3fed","name":"https://git.kernel.org/stable/c/cd98837db15f323463b8df07282ac723bd5c3fed","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d842f26a167e77a36f3ed333b9fa99d36ef99fe6","name":"https://git.kernel.org/stable/c/d842f26a167e77a36f3ed333b9fa99d36ef99fe6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/88fe2e3658726cb21ff2dcf9770bf672f9b9d31b","name":"https://git.kernel.org/stable/c/88fe2e3658726cb21ff2dcf9770bf672f9b9d31b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53242","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53242","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9baee36e8c5443411c4629afabafaff8a46a23fd cac5bf3500ee6422cf64e0df0b5daeecfed42917 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fc71f888994569f87d5bee20b1ac6c9c1e3a7a79 d842f26a167e77a36f3ed333b9fa99d36ef99fe6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 629cf09464cf98670996ea5c191dc9743e6f3f00 d68b621bb5a48051932f1017a6e1bc9b18f854d0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432 b053fcd8912f06c30f932f5b8ec41c72de474695 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4a758e9a1f5ed722f83c4dd35f867fe811553bcb cd98837db15f323463b8df07282ac723bd5c3fed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 7c71a9522555ff137a9ca36b15d759ca04d84788 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.10.253 5.10.259 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.167 6.1.176 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.130 6.6.143 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12.78 6.12.94 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.18.19 6.18.36 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19.9 6.20 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7.0","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["sound/core/pcm_native.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"cac5bf3500ee6422cf64e0df0b5daeecfed42917","status":"affected","version":"9baee36e8c5443411c4629afabafaff8a46a23fd","versionType":"git"},{"lessThan":"d842f26a167e77a36f3ed333b9fa99d36ef99fe6","status":"affected","version":"fc71f888994569f87d5bee20b1ac6c9c1e3a7a79","versionType":"git"},{"lessThan":"d68b621bb5a48051932f1017a6e1bc9b18f854d0","status":"affected","version":"629cf09464cf98670996ea5c191dc9743e6f3f00","versionType":"git"},{"lessThan":"b053fcd8912f06c30f932f5b8ec41c72de474695","status":"affected","version":"ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432","versionType":"git"},{"lessThan":"cd98837db15f323463b8df07282ac723bd5c3fed","status":"affected","version":"4a758e9a1f5ed722f83c4dd35f867fe811553bcb","versionType":"git"},{"lessThan":"7c71a9522555ff137a9ca36b15d759ca04d84788","status":"affected","version":"9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6","versionType":"git"},{"lessThan":"88fe2e3658726cb21ff2dcf9770bf672f9b9d31b","status":"affected","version":"9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6","versionType":"git"},{"status":"affected","version":"c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694","versionType":"git"},{"lessThan":"5.10.259","status":"affected","version":"5.10.253","versionType":"semver"},{"lessThan":"6.1.176","status":"affected","version":"6.1.167","versionType":"semver"},{"lessThan":"6.6.143","status":"affected","version":"6.6.130","versionType":"semver"},{"lessThan":"6.12.94","status":"affected","version":"6.12.78","versionType":"semver"},{"lessThan":"6.18.36","status":"affected","version":"6.18.19","versionType":"semver"},{"lessThan":"6.20","status":"affected","version":"6.19.9","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["sound/core/pcm_native.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"7.0"},{"lessThan":"7.0","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"5.10.253","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"6.1.167","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"6.6.130","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"6.12.78","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"6.18.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"7.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"7.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19.9","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams\n\nsnd_pcm_drain() uses init_waitqueue_entry which does not clear\nentry.prev/next, and add_wait_queue with a conditional\nremove_wait_queue that is skipped when to_check is no longer\nin the group after concurrent UNLINK.  The orphaned wait entry\nremains on the unlinked substream sleep queue.  On the next\ndrain iteration, add_wait_queue adds the entry to a new queue\nwhile still linked on the old one, corrupting both lists.  A\nsubsequent wake_up dereferences NULL at the func pointer\n(mapped from the spinlock at offset 0 of the misinterpreted\nwait_queue_head_t), causing a kernel panic.\n\nReplace init_waitqueue_entry/add_wait_queue/conditional\nremove_wait_queue with init_wait_entry/prepare_to_wait/\nfinish_wait.  init_wait_entry clears prev/next via\nINIT_LIST_HEAD on each iteration and sets\nautoremove_wake_function which auto-removes the entry on\nwake-up.  finish_wait safely handles both the already-removed\nand still-queued cases."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:37.129Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/cac5bf3500ee6422cf64e0df0b5daeecfed42917"},{"url":"https://git.kernel.org/stable/c/d842f26a167e77a36f3ed333b9fa99d36ef99fe6"},{"url":"https://git.kernel.org/stable/c/d68b621bb5a48051932f1017a6e1bc9b18f854d0"},{"url":"https://git.kernel.org/stable/c/b053fcd8912f06c30f932f5b8ec41c72de474695"},{"url":"https://git.kernel.org/stable/c/cd98837db15f323463b8df07282ac723bd5c3fed"},{"url":"https://git.kernel.org/stable/c/7c71a9522555ff137a9ca36b15d759ca04d84788"},{"url":"https://git.kernel.org/stable/c/88fe2e3658726cb21ff2dcf9770bf672f9b9d31b"}],"title":"ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53242","datePublished":"2026-06-25T08:39:37.129Z","dateReserved":"2026-06-09T07:44:35.393Z","dateUpdated":"2026-06-25T08:39:37.129Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:42","lastModifiedDate":"2026-06-25 09:16:42","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53242","Ordinal":"1","Title":"ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on ","CVE":"CVE-2026-53242","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53242","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams\n\nsnd_pcm_drain() uses init_waitqueue_entry which does not clear\nentry.prev/next, and add_wait_queue with a conditional\nremove_wait_queue that is skipped when to_check is no longer\nin the group after concurrent UNLINK.  The orphaned wait entry\nremains on the unlinked substream sleep queue.  On the next\ndrain iteration, add_wait_queue adds the entry to a new queue\nwhile still linked on the old one, corrupting both lists.  A\nsubsequent wake_up dereferences NULL at the func pointer\n(mapped from the spinlock at offset 0 of the misinterpreted\nwait_queue_head_t), causing a kernel panic.\n\nReplace init_waitqueue_entry/add_wait_queue/conditional\nremove_wait_queue with init_wait_entry/prepare_to_wait/\nfinish_wait.  init_wait_entry clears prev/next via\nINIT_LIST_HEAD on each iteration and sets\nautoremove_wake_function which auto-removes the entry on\nwake-up.  finish_wait safely handles both the already-removed\nand still-queued cases.","Type":"Description","Title":"ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on "}]}}}