Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local device access with low privilege (AV:L/PR:L); AC:H because winning the use-after-free timing race is probabilistic; high C/I/A from potential kernel memory corruption and escalation.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ALSA: timer: Fix UAF at snd_timer_user_params()
At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses.
Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free.
This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.
AnalysisAI
Local privilege escalation or memory corruption in the Linux kernel's ALSA timer subsystem stems from a use-after-free in snd_timer_user_params() reachable via the SNDRV_TIMER_IOCTL_PARAMS ioctl. A low-privileged local user with access to a timer device (notably userspace timers under CONFIG_SND_UTIMER) can race a concurrent ioctl against timer object release to access freed memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the system and the ability to open an ALSA timer device (typically /dev/snd/timer), then invoke the SNDRV_TIMER_IOCTL_PARAMS ioctl concurrently with timer-object release; the userspace-timer code path (CONFIG_SND_UTIMER) is the named trigger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with access to an ALSA timer device opens a userspace timer, then issues a SNDRV_TIMER_IOCTL_PARAMS ioctl from one thread while concurrently triggering release of the timer object from another, racing to operate on the freed timer instance. Winning the race yields a use-after-free that can be groomed toward memory corruption and potential local privilege escalation. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13 (or 7.1) or later, whichever matches your branch, via your distribution's kernel update channel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify Linux systems with CONFIG_SND_UTIMER enabled and audit which users/groups have access to timer devices. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39283
GHSA-jmf6-3v74-7x28