ALSA: timer: Fix UAF at snd_timer_user_params()_CVE-2026-53192

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Fix UAF at snd_timer_user_params()

At releasing a timer object, e.g. when a userspace timer
(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
tries to detach the timer instances and release the resources.
However, it's still possible that other in-flight tasks are holding
the timer instance where the to-be-deleted timer object is associated,
and this may lead to racy accesses.

Fortunately, most of ioctls dealing with the timer instance list
already have the protection with register_mutex, and this also avoids
such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
concurrent ioctl may lead to use-after-free.

This patch just adds the guard with register_mutex to protect
snd_timer_user_params() for covering the code path as a quick
workaround. It's no hot-path but rather a rarely issued ioctl, so the
performance penalty doesn't matter.

Basic Information

ID CVE-2026-53192

Source Linux

Published Jun 25, 2026 at 08:39

Modified Jun 28, 2026 at 06:40

Affected Product

Vendor Linux

Product Linux

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Affected Versions Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux 0
Linux Linux 0
Linux Linux 0
Linux Linux 0
Linux Linux 0
Linux Linux 0
Linux Linux 0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Fix UAF at snd_timer_user_params()\n\nAt releasing a timer object, e.g. when a userspace timer\n(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it\ntries to detach the timer instances and release the resources.\nHowever, it's still possible that other in-flight tasks are holding\nthe timer instance where the to-be-deleted timer object is associated,\nand this may lead to racy accesses.\n\nFortunately, most of ioctls dealing with the timer instance list\nalready have the protection with register_mutex, and this also avoids\nsuch races.  But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the\nconcurrent ioctl may lead to use-after-free.\n\nThis patch just adds the guard with register_mutex to protect\nsnd_timer_user_params() for covering the code path as a quick\nworkaround.  It's no hot-path but rather a rarely issued ioctl, so the\nperformance penalty doesn't matter.",
    "published": "2026-06-25T08:39:03.696Z",
    "modified": "2026-06-28T06:40:08.609Z",
    "type": "cve",
    "title": "ALSA: timer: Fix UAF at snd_timer_user_params()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/92ad2d7f80cad43b046f093e808e11fe919d304a\nhttps://git.kernel.org/stable/c/117743d62e1225e208568a3ffc2c07214f1347cb\nhttps://git.kernel.org/stable/c/b2214914e461d0466548a52dfe4f4ee8ce362276\nhttps://git.kernel.org/stable/c/e2331730175f74169046d2af8db1b47243df7c7a\nhttps://git.kernel.org/stable/c/38034d04d4a75bbca01df2b313ced0bcd0fa3242\nhttps://git.kernel.org/stable/c/3d39da65b5c422c5e5afb7d5651b0698d060a827\nhttps://git.kernel.org/stable/c/306427adf9b97e29e5958cb9cf3096c6151fc9ff\nhttps://git.kernel.org/stable/c/053a401b592be424fea9d57c789f66cd5d8cec11",
    "id": "CVE-2026-53192",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0\nLinux Linux 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply