Skip to main content

Linux Kernel CVE-2026-53192

| EUVDEUVD-2026-39283 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jmf6-3v74-7x28
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local device access with low privilege (AV:L/PR:L); AC:H because winning the use-after-free timing race is probabilistic; high C/I/A from potential kernel memory corruption and escalation.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:28 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Fix UAF at snd_timer_user_params()

At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses.

Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free.

This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.

AnalysisAI

Local privilege escalation or memory corruption in the Linux kernel's ALSA timer subsystem stems from a use-after-free in snd_timer_user_params() reachable via the SNDRV_TIMER_IOCTL_PARAMS ioctl. A low-privileged local user with access to a timer device (notably userspace timers under CONFIG_SND_UTIMER) can race a concurrent ioctl against timer object release to access freed memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privileged shell
Delivery
Open ALSA userspace timer device
Exploit
Race PARAMS ioctl against timer release
Execution
Trigger use-after-free in snd_timer_user_params
Impact
Corrupt kernel memory for escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the system and the ability to open an ALSA timer device (typically /dev/snd/timer), then invoke the SNDRV_TIMER_IOCTL_PARAMS ioctl concurrently with timer-object release; the userspace-timer code path (CONFIG_SND_UTIMER) is the named trigger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with access to an ALSA timer device opens a userspace timer, then issues a SNDRV_TIMER_IOCTL_PARAMS ioctl from one thread while concurrently triggering release of the timer object from another, racing to operate on the freed timer instance. Winning the race yields a use-after-free that can be groomed toward memory corruption and potential local privilege escalation. …
Remediation Vendor-released patch: update to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13 (or 7.1) or later, whichever matches your branch, via your distribution's kernel update channel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify Linux systems with CONFIG_SND_UTIMER enabled and audit which users/groups have access to timer devices. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy