7.8
CVE-2026-53192
- EPSS 0.13%
- Veröffentlicht 25.06.2026 08:39:03
- Zuletzt bearbeitet 06.07.2026 12:37:12
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
ALSA: timer: Fix UAF at snd_timer_user_params()
In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at snd_timer_user_params() At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses. Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free. This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 6.12 < 6.12.94
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.36
Linux ≫ Linux Kernel Version >= 6.19 < 7.0.13
Linux ≫ Linux Kernel Version7.1 Updaterc1
Linux ≫ Linux Kernel Version7.1 Updaterc2
Linux ≫ Linux Kernel Version7.1 Updaterc3
Linux ≫ Linux Kernel Version7.1 Updaterc4
Linux ≫ Linux Kernel Version7.1 Updaterc5
Linux ≫ Linux Kernel Version7.1 Updaterc6
Linux ≫ Linux Kernel Version7.1 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.033 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/38034d04d4a75bbca01df2b313ced0bcd0fa3242
https://git.kernel.org/stable/c/3d39da65b5c422c5e5afb7d5651b0698d060a827
https://git.kernel.org/stable/c/306427adf9b97e29e5958cb9cf3096c6151fc9ff
https://git.kernel.org/stable/c/053a401b592be424fea9d57c789f66cd5d8cec11