Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with low privilege required; C:L added over vendor C:N to reflect kernel stack overread potential for information disclosure per 'Information Disclosure' tag.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
ALSA: seq: dummy: fix UMP event stack overread
The dummy sequencer port forwards events by copying an incoming struct snd_seq_event into a stack temporary, rewriting source and destination, and dispatching the temporary to subscribers. That legacy event storage is smaller than struct snd_seq_ump_event.
When a UMP event reaches the dummy client, the copy leaves the UMP flag set but only provides legacy-sized stack storage. The subscriber delivery path then uses snd_seq_event_packet_size() and copies a UMP-sized packet from that stack object, reading past the end of the temporary.
Use the existing union __snd_seq_event storage and copy the packet size reported for the incoming event before rewriting the common routing fields. This preserves the full UMP packet for UMP events while keeping legacy event handling unchanged.
AnalysisAI
Stack overread in the Linux kernel ALSA MIDI sequencer dummy client (snd_seq_dummy) allows a local low-privileged user to crash the kernel or potentially leak kernel stack contents by sending a crafted Universal MIDI Packet (UMP) event. The dummy port copies incoming events into a legacy-sized stack temporary, but when the UMP flag remains set the delivery path calls snd_seq_event_packet_size() and copies a larger UMP-sized packet from that undersized allocation, reading past the stack buffer end. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local system access with at least low privilege (PR:L per CVSS vector) - specifically, the ability to open and write to the ALSA sequencer device, which on most Linux distributions requires membership in the 'audio' group or an equivalent capability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 5.5 Medium) correctly identifies this as a local, low-privilege, availability-only issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with low privileges - for example, a member of the audio group on a desktop or audio-production system - opens the ALSA sequencer device, connects to the dummy sequencer port, and sends a crafted UMP (Universal MIDI Packet) event. The dummy client copies the event into an undersized legacy stack buffer while preserving the UMP flag; when the delivery path computes the packet size and copies UMP-sized data from that buffer, it reads past the stack allocation, potentially causing a kernel panic (denial of service) or exposing adjacent kernel stack data. … |
| Remediation | Upgrade to a patched stable kernel: Linux 6.12.94, 6.18.36, or 7.0.13 as confirmed by EUVD-2026-39192, or apply the upstream fix commits directly (links above) for out-of-tree builds. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39192
GHSA-jcg9-m46h-g922