Description
In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Fix UAF at snd_timer_user_params()

At releasing a timer object, e.g. when a userspace timer
(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
tries to detach the timer instances and release the resources.
However, it's still possible that other in-flight tasks are holding
the timer instance where the to-be-deleted timer object is associated,
and this may lead to racy accesses.

Fortunately, most of ioctls dealing with the timer instance list
already have the protection with register_mutex, and this also avoids
such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
concurrent ioctl may lead to use-after-free.

This patch just adds the guard with register_mutex to protect
snd_timer_user_params() for covering the code path as a quick
workaround. It's no hot-path but rather a rarely issued ioctl, so the
performance penalty doesn't matter.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel ALSA subsystem, a flaw exists in the handling of timer objects when user‑space timers (CONFIG_SND_UTIMER) are closed. The code path that handles the SNDRV_TIMER_IOCTL_PARAMS ioctl is not protected by register_mutex, potentially allowing a race condition that can result in the kernel accessing freed memory. This vulnerability is a use‑after‑free (CWE‑364).

Affected Systems

All Linux kernels that compile the ALSA subsystem with CONFIG_SND_UTIMER enabled are affected. The vulnerability exists in the timer handling code of the ALSA driver where the user‑controlled ioctl SNDRV_TIMER_IOCTL_PARAMS was not protected by the register_mutex. No specific version range is provided, so any kernel with the unpatched ALSA timer code is vulnerable.

Risk and Exploitability

The EPSS score of <1% indicates a very low likelihood of exploitation, while the CVSS score of 7.8 reflects high potential damage if exploited. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation. Because the flaw involves a concurrent ioctl on a closing timer object, the attack requires a process that can issue SNDRV_TIMER_IOCTL_PARAMS while another process is freeing the timer. The risk is therefore moderate, with significant potential impact if a local user or other process can trigger the race.

Generated by OpenCVE AI on June 28, 2026 at 14:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official kernel patch that guards snd_timer_user_params() with register_mutex
  • If the patch cannot be applied, rebuild the kernel with CONFIG_SND_UTIMER disabled to eliminate user‑controlled timers
  • Audit and monitor any use of SNDRV_TIMER_IOCTL_PARAMS to ensure it is not invoked concurrently during timer shutdown

Generated by OpenCVE AI on June 28, 2026 at 14:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 05:30:00 +0000


Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at snd_timer_user_params() At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses. Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free. This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.
Title ALSA: timer: Fix UAF at snd_timer_user_params()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-29T04:18:54.367Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53192

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53192 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses
  • CWE-364

    Signal Handler Race Condition