Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Fix UAF at snd_timer_user_params()

At releasing a timer object, e.g. when a userspace timer
(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
tries to detach the timer instances and release the resources.
However, it's still possible that other in-flight tasks are holding
the timer instance where the to-be-deleted timer object is associated,
and this may lead to racy accesses.

Fortunately, most of ioctls dealing with the timer instance list
already have the protection with register_mutex, and this also avoids
such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
concurrent ioctl may lead to use-after-free.

This patch just adds the guard with register_mutex to protect
snd_timer_user_params() for covering the code path as a quick
workaround. It's no hot-path but rather a rarely issued ioctl, so the
performance penalty doesn't matter.
Published: 2026-06-25
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An ALSA timer bug in the Linux kernel can cause a use-after-free when a user closes a timer object (CONFIG_SND_UTIMER) and another process concurrently invokes SNDRV_TIMER_IOCTL_PARAMS. This race allows a process to access freed kernel memory, potentially enabling arbitrary memory read/write or code execution. The weakness is a classic use-after-free flaw (CWE-364).

Affected Systems

All Linux kernels that compile the ALSA subsystem with CONFIG_SND_UTIMER enabled are affected. The vulnerability exists in the timer handling code of the ALSA driver where the user-controlled ioctl SNDRV_TIMER_IOCTL_PARAMS was not protected by the register_mutex. No specific version range is provided, so any kernel with the unpatched ALSA timer code is vulnerable.

Risk and Exploitability

The EPSS score of <1% indicates a low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The CVSS score of 7.0 reflects high severity. The presence of a use-after-free that can be triggered by a concurrent ioctl gives the potential for serious compromise if an attacker can run code with sufficient privileges or achieve a privilege-escalating condition. The likely attack vector is a local user or compromised process issuing the SNDRV_TIMER_IOCTL_PARAMS ioctl while another process closes a timer. The risk is moderate to high in ALSA timers are used.

Generated by OpenCVE AI on June 26, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official kernel patch that guards snd_timer_user_params() with register_mutex
  • If the patch cannot be applied, rebuild the kernel with CONFIG_SND_UTIMER disabled to eliminate user-controlled timers
  • Audit and monitor any use of SNDRV_TIMER_IOCTL_PARAMS to ensure it is not invoked concurrently during timer shutdown

Generated by OpenCVE AI on June 26, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at snd_timer_user_params() At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses. Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free. This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.
Title ALSA: timer: Fix UAF at snd_timer_user_params()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:03.696Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53192

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53192 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T14:00:22Z

Weaknesses
  • CWE-364

    Signal Handler Race Condition