CVE-2026-46262: 
Linux Kernel Analyse et atténuation des vulnérabilités

CVE-2026-46262 is a deadlock vulnerability in the Linux kernel's ASoC (Audio System on Chip) subsystem, specifically in the fsl_xcvr driver. It was introduced by a prior patch (commit f51424872760) that incorrectly added a lock acquisition in fsl_xcvr_mode_put(), causing a deadlock when the ALSA core function snd_ctl_elem_write() — which already holds a write lock on card->controls_rwsem — calls this function, resulting in a hung task. The vulnerability was disclosed on June 3, 2026, and affects Linux kernel versions 5.15.201, 6.1.164, 6.6.127, 6.12.74, 6.18.13, and 6.19.x before 6.19.4. It carries a CVSS v3.1 base score of 5.5 (Medium) (GitHub Advisory).

The root cause is classified as CWE-667 (Improper Locking). The flawed commit f51424872760 attempted to acquire a read lock (down_read) on card->controls_rwsem inside fsl_xcvr_mode_put(), but the calling function snd_ctl_elem_write() in the ALSA core already holds the write lock (down_write) on the same semaphore for the duration of the put operation. Acquiring a read lock while the same thread holds the write lock on a rwsem results in a deadlock, causing the kernel task to hang indefinitely. The fix reverts the erroneous lock acquisition, as fsl_xcvr_activate_ctl() does not require the lock to be re-acquired in this context (GitHub Advisory).

Successful exploitation results in a kernel task hang (Denial of Service), with no impact on confidentiality or integrity (CVSS: C:N/I:N/A:H). Any local user with access to ALSA control elements on an affected system can trigger the deadlock by writing to the fsl_xcvr mode control, potentially rendering the audio subsystem or the affected kernel thread unresponsive. The scope is limited to the local system and does not facilitate lateral movement or data exfiltration (GitHub Advisory).

The fix is to update the Linux kernel to a patched version that reverts commit f51424872760. Patched versions include: 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, and kernel 7.0. Multiple stable-tree patches have been published at git.kernel.org. As a temporary workaround, restricting unprivileged user access to ALSA control elements (e.g., via permissions or access controls) can reduce exposure while patches are applied (GitHub Advisory).

The bug was reported by Alexander Stein, who identified the hung task behavior caused by the deadlock. The fix was accepted into multiple Linux stable trees shortly after disclosure. No significant broader media coverage or notable community debate has been observed beyond the standard kernel patch review process (GitHub Advisory).