cve-2026-23191

CVE-2026-23191 is a Linux kernel vulnerability in the ALSA snd-aloop driver, specifically a race condition in the PCM trigger callback. The issue occurs when the driver checks PCM state and stops a tied substream outside the cable lock, leading to a potential use-after-free if a program frequently triggers streams while opening and closing the paired path. The fix involves tightening locking in loopback_check_format(), adding NULL checks, and deferring stream stopping until after the critical section. While the Microsoft update guide page is currently unavailable, the underlying kernel patch is documented in upstream stable updates. This tag covers discussions and technical details about the vulnerability and its resolution.