CVE-2026-53193

Source
https://cve.org/CVERecord?id=CVE-2026-53193
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53193.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53193
Downstream
Related
Published
2026-06-25T08:39:04.346Z
Modified
2026-07-08T08:09:46.573033038Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ALSA: timer: Forcibly close timer instances at closing
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Forcibly close timer instances at closing

When sndtimer object is freed via sndtimerfree() and still pending sndtimerinstance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIGSND_UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer.

This patch is an attempt to paper over the problem above: now instead of just unlinking, call sndtimerclose_locked forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since sndtimerclose() might be called later by the driver that created that instance, the check of SNDRVTIMERIFLG_DEAD is added at the beginning, too.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53193.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
37745918e0e7575bc40f38da93a99b9fa6406224
Fixed
586b219a22b1032b28b8bd356b963276c5e5bf53
Fixed
f46093dd22969037beb1fce2e043f3236be41c92
Fixed
60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f
Fixed
da3039e91d1f835874ed6e9a33ea19ee80c2cb92

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53193.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53193.json"