Use After Free Affecting kernel-modules package, versions <0:4.18.0-553.136.1.el8_10


Severity

Recommended
high

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.1% (2nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ORACLE8-KERNELMODULES-17400436
  • published22 Jun 2026
  • disclosed27 May 2026

Introduced: 27 May 2026

CVE-2026-46090  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade Oracle:8 kernel-modules to version 0:4.18.0-553.136.1.el8_10 or higher.
This issue was patched in ELSA-2026-27353.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-modules package and not the kernel-modules package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

ALSA: aloop: Fix peer runtime UAF during format-change stop

loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock.

A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer.

Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit.

CVSS Base Scores

version 3.1