Impact
In the Linux kernel ALSA subsystem, a flaw exists in the handling of timer objects when user‑space timers (CONFIG_SND_UTIMER) are closed. The code path that handles the SNDRV_TIMER_IOCTL_PARAMS ioctl is not protected by register_mutex, potentially allowing a race condition that can result in the kernel accessing freed memory. This vulnerability is a use‑after‑free (CWE‑364).
Affected Systems
All Linux kernels that compile the ALSA subsystem with CONFIG_SND_UTIMER enabled are affected. The vulnerability exists in the timer handling code of the ALSA driver where the user‑controlled ioctl SNDRV_TIMER_IOCTL_PARAMS was not protected by the register_mutex. No specific version range is provided, so any kernel with the unpatched ALSA timer code is vulnerable.
Risk and Exploitability
The EPSS score of <1% indicates a very low likelihood of exploitation, while the CVSS score of 7.8 reflects high potential damage if exploited. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation. Because the flaw involves a concurrent ioctl on a closing timer object, the attack requires a process that can issue SNDRV_TIMER_IOCTL_PARAMS while another process is freeing the timer. The risk is therefore moderate, with significant potential impact if a local user or other process can trigger the race.
OpenCVE Enrichment