Skip to main content

Linux Kernel EUVDEUVD-2026-39192

| CVE-2026-53241 MEDIUM
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jcg9-m46h-g922
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

Local access with low privilege required; C:L added over vendor C:N to reflect kernel stack overread potential for information disclosure per 'Information Disclosure' tag.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 22:38 vuln.today
CVSS changed
Jul 07, 2026 - 22:37 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ALSA: seq: dummy: fix UMP event stack overread

The dummy sequencer port forwards events by copying an incoming struct snd_seq_event into a stack temporary, rewriting source and destination, and dispatching the temporary to subscribers. That legacy event storage is smaller than struct snd_seq_ump_event.

When a UMP event reaches the dummy client, the copy leaves the UMP flag set but only provides legacy-sized stack storage. The subscriber delivery path then uses snd_seq_event_packet_size() and copies a UMP-sized packet from that stack object, reading past the end of the temporary.

Use the existing union __snd_seq_event storage and copy the packet size reported for the incoming event before rewriting the common routing fields. This preserves the full UMP packet for UMP events while keeping legacy event handling unchanged.

AnalysisAI

Stack overread in the Linux kernel ALSA MIDI sequencer dummy client (snd_seq_dummy) allows a local low-privileged user to crash the kernel or potentially leak kernel stack contents by sending a crafted Universal MIDI Packet (UMP) event. The dummy port copies incoming events into a legacy-sized stack temporary, but when the UMP flag remains set the delivery path calls snd_seq_event_packet_size() and copies a larger UMP-sized packet from that undersized allocation, reading past the stack buffer end. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privilege access
Delivery
Open ALSA sequencer device
Exploit
Connect to dummy sequencer port
Execution
Send crafted UMP event
Persist
Trigger undersized-buffer stack overread
Impact
Kernel crash or kernel stack data disclosure

Vulnerability AssessmentAI

Exploitation Requires local system access with at least low privilege (PR:L per CVSS vector) - specifically, the ability to open and write to the ALSA sequencer device, which on most Linux distributions requires membership in the 'audio' group or an equivalent capability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.5 Medium) correctly identifies this as a local, low-privilege, availability-only issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with low privileges - for example, a member of the audio group on a desktop or audio-production system - opens the ALSA sequencer device, connects to the dummy sequencer port, and sends a crafted UMP (Universal MIDI Packet) event. The dummy client copies the event into an undersized legacy stack buffer while preserving the UMP flag; when the delivery path computes the packet size and copies UMP-sized data from that buffer, it reads past the stack allocation, potentially causing a kernel panic (denial of service) or exposing adjacent kernel stack data. …
Remediation Upgrade to a patched stable kernel: Linux 6.12.94, 6.18.36, or 7.0.13 as confirmed by EUVD-2026-39192, or apply the upstream fix commits directly (links above) for out-of-tree builds. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy