CVE-2026-53193 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Forcibly close timer instances at closing

When snd_timer object is freed via snd_timer_free() and still pending
snd_timer_instance objects are assigned to the timer object, it tries
to unlink all instances and just set NULL to each ti->timer, then
releases the resources immediately. The problem is, however, when
there are slave timer instances that are associated with a master
instance linked to this timer: namely, those slave instances still
point to the freed timer object although the master instance is
unlinked, which may lead to user-after-free. The bug can be easily
triggered particularly when a new userspace-driven timers
(CONFIG_SND_UTIMER) is involved, since it can create and delete the
timer object via a simple file open/close, while the other
applications may keep accessing to that timer.

This patch is an attempt to paper over the problem above: now instead
of just unlinking, call snd_timer_close[_locked]() forcibly for each
pending timer instance, so that all assigned slave timer instances are
properly detached, too. Since snd_timer_close() might be called later
by the driver that created that instance, the check of
SNDRV_TIMER_IFLG_DEAD is added at the beginning, too.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

When the ALSA timer device is freed in the kernel while slave timer instances remain, the free operation leaves those slave instances pointing to a deallocated timer object. This user‑after‑free condition can corrupt kernel memory and cause a crash or, in a worst case, enable an attacker to execute code in privileged context. The defect originates in the ALSA timer subsystem when snd_timer_free() unlinks instances without properly detaching slaves. The applied patch forces a close of any pending instances‑flag check, preventing dangling references.

Affected Systems

All Linux kernel releases that include the ALSA timer driver with CONFIG_SND_UTIMER enabled are affected. The vulnerability affects the ALSA timer subsystem regardless of distribution, as the underlying CPE identifies the generic Linux kernel. Versions prior to the patch commit that introduced the forced close are vulnerable.

Risk and Exploitability

Because the flaw is a classic use‑after‑free, exploitation requires an application that creates ALSA timers from userspace (e.g., via CONFIG_SND_UTIMER) and then deletes the timer while other processes continue to reference it. No EPSS data is available, and the vulnerability is not yet listed in CISA KEV. The likely attack vector is userspace interactions with ALSA timers, inferred from the description, making the risk high if the kernel is not updated and the timer subsystem is exposed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`37745918e0e7575bc40f38da93a99b9fa6406224`	affected	< 586b219a22b1032b28b8bd356b963276c5e5bf53
`37745918e0e7575bc40f38da93a99b9fa6406224`	affected	< f46093dd22969037beb1fce2e043f3236be41c92
`37745918e0e7575bc40f38da93a99b9fa6406224`	affected	< 60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f
`37745918e0e7575bc40f38da93a99b9fa6406224`	affected	< da3039e91d1f835874ed6e9a33ea19ee80c2cb92

Linux

affected

Version	Status	Constraints
`6.12`	affected	—
`0`	unaffected	< 6.12
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[37745918e0e7575bc40f38da93a99b9fa6406224,586b219a22b1032b28b8bd356b963276c5e5bf53)`	affected	code_commit	—
`[37745918e0e7575bc40f38da93a99b9fa6406224,60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f)`	affected	code_commit	—
`[37745918e0e7575bc40f38da93a99b9fa6406224,da3039e91d1f835874ed6e9a33ea19ee80c2cb92)`	affected	code_commit	—
`[37745918e0e7575bc40f38da93a99b9fa6406224,f46093dd22969037beb1fce2e043f3236be41c92)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.12`	affected	semver	—
`[0,6.12)`	unaffected	semver	—
`[6.12.94,6.13.0)`	unaffected	semver	—
`[6.18.36,6.19.0)`	unaffected	semver	—
`[7.0.13,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a kernel version that includes the patch that forces closure of pending ALSA timer instances
If a kernel upgrade cannot be performed immediately, consider disabling the CONFIG_SND_UTIMER ALSA timer feature or removing ALSA timer support by recompiling the kernel with CONFIG_SND_UTIMER=n
Verify that no legacy applications still initialize ALSA timers before the operating system is hardened to prevent user‑after‑free scenarios

Generated by OpenCVE AI on June 25, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00179.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/586b219a22b1032b28b8bd356b963276c5e5bf53
https://git.kernel.org/stable/c/60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f
https://git.kernel.org/stable/c/da3039e91d1f835874ed6e9a33ea19ee80c2cb92
https://git.kernel.org/stable/c/f46093dd22969037beb1fce2e043f3236be41c92

History

Thu, 25 Jun 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Forcibly close timer instances at closing When snd_timer object is freed via snd_timer_free() and still pending snd_timer_instance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIG_SND_UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer. This patch is an attempt to paper over the problem above: now instead of just unlinking, call snd_timer_close[_locked]() forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since snd_timer_close() might be called later by the driver that created that instance, the check of SNDRV_TIMER_IFLG_DEAD is added at the beginning, too.
Title		ALSA: timer: Forcibly close timer instances at closing
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/586b219a22b1032b28b8bd356b963276c5e5bf53 https://git.kernel.org/stable/c/60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f https://git.kernel.org/stable/c/da3039e91d1f835874ed6e9a33ea19ee80c2cb92 https://git.kernel.org/stable/c/f46093dd22969037beb1fce2e043f3236be41c92

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:04.346Z

Updated: 2026-06-25T08:39:04.346Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53193

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T15:30:16Z

Weaknesses

CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object