Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local authenticated access to the ALSA timer device gives PR:L and AV:L; reliable exploitation needs winning a free/use race so AC:H; kernel UAF yields full C/I/A on the host.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ALSA: timer: Forcibly close timer instances at closing
When snd_timer object is freed via snd_timer_free() and still pending snd_timer_instance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIG_SND_UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer.
This patch is an attempt to paper over the problem above: now instead of just unlinking, call snd_timer_close[_locked]() forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since snd_timer_close() might be called later by the driver that created that instance, the check of SNDRV_TIMER_IFLG_DEAD is added at the beginning, too.
AnalysisAI
Local privilege escalation via use-after-free in the Linux kernel ALSA timer subsystem (sound/core/timer.c) allows an authenticated local user to corrupt kernel memory by triggering dangling references to a freed snd_timer object. When snd_timer_free() unlinked pending instances it left slave timer instances still pointing at the freed master timer; the flaw is readily reachable through the userspace-driven timer interface (CONFIG_SND_UTIMER), where opening/closing a file creates and destroys timer objects while other processes keep accessing them. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires authenticated local access (CVSS PR:L) with the ability to open the ALSA timer device (/dev/snd/timer) - in practice membership of the 'audio' group or an equivalently permissioned local/container context. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a real but locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A logged-in local user (or a process inside an unprivileged container with access to the ALSA timer device) repeatedly opens and closes a userspace-driven timer to free the snd_timer object while a second thread holds slave timer instances that still reference it, then races accesses to operate on the freed memory. By grooming the kernel heap to reclaim the freed object with attacker-controlled data, the dangling slave reference is leveraged to corrupt kernel state and escalate to root. … |
| Remediation | Vendor-released patch: update to a fixed Linux kernel - 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backport carrying these stable commits), then reboot to load the patched kernel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all Linux systems with ALSA timer support enabled (CONFIG_SND_UTIMER), prioritizing those handling sensitive workloads. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39284
GHSA-r56g-vpx5-3639