CVE-2026-53192

Source
https://cve.org/CVERecord?id=CVE-2026-53192
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53192.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53192
Downstream
Related
Published
2026-06-25T08:39:03.696Z
Modified
2026-07-08T08:09:46.223620811Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ALSA: timer: Fix UAF at snd_timer_user_params()
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Fix UAF at sndtimeruser_params()

At releasing a timer object, e.g. when a userspace timer (CONFIGSNDUTIMER) gets closed and sndtimerfree() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses.

Fortunately, most of ioctls dealing with the timer instance list already have the protection with registermutex, and this also avoids such races. But, SNDRVTIMERIOCTLPARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free.

This patch just adds the guard with registermutex to protect sndtimeruserparams() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53192.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
37745918e0e7575bc40f38da93a99b9fa6406224
Fixed
38034d04d4a75bbca01df2b313ced0bcd0fa3242
Fixed
3d39da65b5c422c5e5afb7d5651b0698d060a827
Fixed
306427adf9b97e29e5958cb9cf3096c6151fc9ff
Fixed
053a401b592be424fea9d57c789f66cd5d8cec11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53192.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53192.json"