Updated: 2026-02-27 02:13:52.550696
Description:
In the Linux kernel, the following vulnerability has been resolved: ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs The dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work could also arm the dreamcastcard->timer. When the snd_pcm_substream is closing, the aica_channel will be deallocated. But it could still be dereferenced in the worker thread. The reason is that del_timer() will return directly regardless of whether the timer handler is running or not and the worker could be rescheduled in the timer handler. As a result, the UAF bug will happen. The racy situation is shown below: (Thread 1) | (Thread 2) snd_aicapcm_pcm_close() | ... | run_spu_dma() //worker | mod_timer() flush_work() | del_timer() | aica_period_elapsed() //timer kfree(dreamcastcard->channel) | schedule_work() | run_spu_dma() //worker ... | dreamcastcard->channel-> //USE In order to mitigate this bug and other possible corner cases, call mod_timer() conditionally in run_spu_dma(), then implement PCM sync_stop op to cancel both the timer and worker. The sync_stop op will be called from PCM core appropriately when needed.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.0 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.0 | HIGH | Not Vulnerable | 2025-02-14 02:42:08 | CVE-2024-26654 targets the ALSA snd-aica driver for the Sega Dreamcast (sound/sh/aica.c), which is o... | |
| CentOS 6 ELS | kernel | 2.6.32 | 7.0 | HIGH | Not Vulnerable | 2025-02-22 01:13:49 | CVE-2024-26654 only affects the ALSA Dreamcast AICA driver (sound/sh/aica), which is built exclusive... | |
| CentOS 7 ELS | kernel | 3.10.0 | 7.0 | HIGH | Not Vulnerable | 2025-02-22 01:13:48 | Not vulnerable: CVE-2024-26654 affects the ALSA Dreamcast AICA driver (sound/sh/aica), which is only... | |
| CentOS 8.4 ELS | kernel | 4.18.0 | 7.0 | HIGH | Not Vulnerable | 2025-02-14 23:52:16 | Not affected: CVE-2024-26654 is confined to the ALSA Dreamcast AICA driver (sound/sh/aica.c), which ... | |
| CentOS 8.5 ELS | kernel | 4.18.0 | 7.0 | HIGH | Not Vulnerable | 2025-02-14 23:52:16 | Not affected: CVE-2024-26654 is confined to the ALSA Dreamcast AICA driver (sound/sh/aica.c), which ... | |
| CentOS Stream 8 ELS | kernel | 4.18.0 | 7.0 | HIGH | Not Vulnerable | 2025-02-14 02:42:08 | Not affected: CVE-2024-26654 is confined to the ALSA Dreamcast AICA driver (sound/sh/aica.c), which ... | |
| CloudLinux 6 ELS | kernel | 2.6.32 | 7.0 | HIGH | Not Vulnerable | 2025-02-22 01:13:48 | ||
| CloudLinux 7 ELS | kernel | 3.10.0 | 7.0 | HIGH | Not Vulnerable | 2025-02-22 01:13:48 | Not vulnerable: CVE-2024-26654 affects the ALSA Dreamcast AICA driver (sound/sh/aica), which is only... | |
| Oracle Linux 6 ELS | kernel | 2.6.32 | 7.0 | HIGH | Not Vulnerable | 2025-02-22 01:13:48 | CVE-2024-26654 only affects the ALSA Dreamcast AICA driver (sound/sh/aica), which is built exclusive... | |
| Oracle Linux 7 ELS | kernel | 3.10.0 | 7.0 | HIGH | Not Vulnerable | 2025-02-22 01:13:48 | Not vulnerable: CVE-2024-26654 affects the ALSA Dreamcast AICA driver (sound/sh/aica), which is only... |