Skip to main content

ALSA Library CVE-2026-56109

| EUVDEUVD-2026-38301 HIGH
Double Free (CWE-415)
2026-06-22 VulnCheck GHSA-jfrh-w252-q2h4
7.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Local-only via ALSA config text (AV:L); any local user can stage a config (PR:N) but a victim process must load it (UI:R); impact is crash/memory corruption, not disclosure (C:N, I:L, A:H).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
6.8 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 17:52 vuln.today
Analysis Generated
Jun 22, 2026 - 17:52 vuln.today
CVE Published
Jun 22, 2026 - 15:58 cve.org
HIGH 7.0

DescriptionCVE.org

The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 contains a double-free vulnerability in parse_def() in src/conf.c that allows attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. When parsing nested compound or array configuration blocks, parse_def() fails to check return values before continuing, causing snd_config_delete() to be called twice on the same already-freed node, resulting in a NULL-pointer write or invalid memory read.

AnalysisAI

Memory corruption in the Advanced Linux Sound Architecture (ALSA) user-space library (alsa-lib) before 1.2.16.1 allows local attackers to crash audio-dependent processes by feeding maliciously crafted configuration text to parse_def() in src/conf.c. The flaw is a double-free reachable through nested compound or array config blocks, leading to a NULL-pointer write or invalid read; publicly available exploit code exists (reported by VulnCheck), but the issue is not on the CISA KEV list.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local foothold on Linux host
Delivery
Plant crafted ALSA config (asoundrc/include/string)
Exploit
Victim process invokes snd_config_load
Execution
parse_def hits unchecked nested-block error
Persist
snd_config_delete called twice on freed node
Impact
Process crash or memory corruption (DoS of audio stack)

Vulnerability AssessmentAI

Exploitation Requires local delivery of attacker-controlled ALSA configuration text to a process linked against vulnerable alsa-lib (<1.2.16.1) - concretely, the ability to write or influence /etc/asound.conf, ~/.asoundrc, any file pulled in via ALSA include/hook directives, or to pass a config string into snd_config_load_string()/snd_config_load(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Vendor-supplied CVSS 4.0 (7.0, AV:L/AC:L/PR:N/UI:N, VC:N/VI:L/VA:H) reflects a local-only, availability-dominant bug - corrupting audio sessions, not exfiltrating data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unprivileged local user on a shared Linux host drops a crafted ~/.asoundrc (or a sound application loads attacker-supplied config text) containing a malformed nested compound/array block; when the target process initialises ALSA via snd_config_load(), parse_def() double-frees a node and the process crashes or corrupts adjacent memory. Public exploit material referenced on the alsa-devel mailing list lowers the barrier to reproducing the crash, and the same primitive may be chainable from a browser/audio-passthrough sandbox where attacker-controlled config bytes reach alsa-lib.
Remediation Vendor-released patch: upgrade to alsa-lib 1.2.16.1 or later (release at https://github.com/alsa-project/alsa-lib/releases/tag/v1.2.16.1, fix commit https://github.com/alsa-project/alsa-lib/commit/536dd6f8affdf5197c12a63a71c92a70b2833cc0); track your distribution's security feed and apply the corresponding alsa-lib / libasound2 package. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running alsa-lib and document installed versions using package managers (rpm, dpkg, apt); flag all instances below 1.2.16.1 as at-risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected

Share

CVE-2026-56109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy