Impact
The ALSA dummy sequencer port forwarded UMP events by copying a legacy‑sized event structure onto the stack, then treating the copy as a larger UMP packet and reading past the limit. This buffer overread (CWE‑125) can expose kernel stack contents and may trigger a kernel crash.
Affected Systems
All Linux kernels that include the ALSA sequencer module without the commit that implements the fix are affected. Users running any kernel version prior to the inclusion of those commits are susceptible, regardless of vendor or distribution.
Risk and Exploitability
The flaw is local to the ALSA subsystem; an attacker who can craft and send UMP events to the dummy client can trigger the overread. The CVSS score is 5.5, indicating moderate severity, and the EPSS score is < 1%, showing a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. If exploited, it could lead denial of service by crashing a user or service that engages with ALSA.
OpenCVE Enrichment