ALSA: timer: Fix UAF at snd_timer_user_params()
Summary
| CVE | CVE-2026-53192 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-25 09:16:36 UTC |
| Updated | 2026-07-06 12:37:12 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at snd_timer_user_params() At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses. Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free. This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.001340000 probability, percentile 0.032490000 (date 2026-07-04)
Problem Types: CWE-416
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 37745918e0e7575bc40f38da93a99b9fa6406224 38034d04d4a75bbca01df2b313ced0bcd0fa3242 git | Not specified |
| CNA | Linux | Linux | affected 37745918e0e7575bc40f38da93a99b9fa6406224 3d39da65b5c422c5e5afb7d5651b0698d060a827 git | Not specified |
| CNA | Linux | Linux | affected 37745918e0e7575bc40f38da93a99b9fa6406224 306427adf9b97e29e5958cb9cf3096c6151fc9ff git | Not specified |
| CNA | Linux | Linux | affected 37745918e0e7575bc40f38da93a99b9fa6406224 053a401b592be424fea9d57c789f66cd5d8cec11 git | Not specified |
| CNA | Linux | Linux | affected 6.12 | Not specified |
| CNA | Linux | Linux | unaffected 6.12 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.94 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.36 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.13 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/053a401b592be424fea9d57c789f66cd5d8cec11 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/306427adf9b97e29e5958cb9cf3096c6151fc9ff | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/3d39da65b5c422c5e5afb7d5651b0698d060a827 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/38034d04d4a75bbca01df2b313ced0bcd0fa3242 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/117743d62e1225e208568a3ffc2c07214f1347cb | MITRE | git.kernel.org | |
| git.kernel.org/stable/c/92ad2d7f80cad43b046f093e808e11fe919d304a | MITRE | git.kernel.org | |
| git.kernel.org/stable/c/b2214914e461d0466548a52dfe4f4ee8ce362276 | MITRE | git.kernel.org | |
| git.kernel.org/stable/c/e2331730175f74169046d2af8db1b47243df7c7a | MITRE | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.