Skip to main content

Linux Kernel CVE-2026-53193

| EUVDEUVD-2026-39284 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r56g-vpx5-3639
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local authenticated access to the ALSA timer device gives PR:L and AV:L; reliable exploitation needs winning a free/use race so AC:H; kernel UAF yields full C/I/A on the host.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:29 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Forcibly close timer instances at closing

When snd_timer object is freed via snd_timer_free() and still pending snd_timer_instance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIG_SND_UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer.

This patch is an attempt to paper over the problem above: now instead of just unlinking, call snd_timer_close[_locked]() forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since snd_timer_close() might be called later by the driver that created that instance, the check of SNDRV_TIMER_IFLG_DEAD is added at the beginning, too.

AnalysisAI

Local privilege escalation via use-after-free in the Linux kernel ALSA timer subsystem (sound/core/timer.c) allows an authenticated local user to corrupt kernel memory by triggering dangling references to a freed snd_timer object. When snd_timer_free() unlinked pending instances it left slave timer instances still pointing at the freed master timer; the flaw is readily reachable through the userspace-driven timer interface (CONFIG_SND_UTIMER), where opening/closing a file creates and destroys timer objects while other processes keep accessing them. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local access to ALSA timer device
Delivery
Open userspace-driven timer (CONFIG_SND_UTIMER)
Exploit
Close timer to free snd_timer while slave instance holds reference
Execution
Race access to trigger use-after-free
Persist
Reclaim freed object via heap grooming
Impact
Corrupt kernel memory and escalate to root

Vulnerability AssessmentAI

Exploitation Requires authenticated local access (CVSS PR:L) with the ability to open the ALSA timer device (/dev/snd/timer) - in practice membership of the 'audio' group or an equivalently permissioned local/container context. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a real but locally-scoped issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A logged-in local user (or a process inside an unprivileged container with access to the ALSA timer device) repeatedly opens and closes a userspace-driven timer to free the snd_timer object while a second thread holds slave timer instances that still reference it, then races accesses to operate on the freed memory. By grooming the kernel heap to reclaim the freed object with attacker-controlled data, the dangling slave reference is leveraged to corrupt kernel state and escalate to root. …
Remediation Vendor-released patch: update to a fixed Linux kernel - 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backport carrying these stable commits), then reboot to load the patched kernel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Linux systems with ALSA timer support enabled (CONFIG_SND_UTIMER), prioritizing those handling sensitive workloads. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53193 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy