Home

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Forcibly close timer instances at closing When snd_timer object is freed via snd_timer_free() and still pending snd_timer_instance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIG_SND_UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer. This patch is an attempt to paper over the problem above: now instead of just unlinking, call snd_timer_close[_locked]() forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since snd_timer_close() might be called later by the driver that created that instance, the check of SNDRV_TIMER_IFLG_DEAD is added at the beginning, too.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-25 | Updated 2026-06-25 | Assigner Linux

Product status

Default status
unaffected

37745918e0e7575bc40f38da93a99b9fa6406224 (git) before 586b219a22b1032b28b8bd356b963276c5e5bf53
affected

37745918e0e7575bc40f38da93a99b9fa6406224 (git) before f46093dd22969037beb1fce2e043f3236be41c92
affected

37745918e0e7575bc40f38da93a99b9fa6406224 (git) before 60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f
affected

37745918e0e7575bc40f38da93a99b9fa6406224 (git) before da3039e91d1f835874ed6e9a33ea19ee80c2cb92
affected

Default status
affected

6.12
affected

Any version before 6.12
unaffected

6.12.94 (semver)
unaffected

6.18.36 (semver)
unaffected

7.0.13 (semver)
unaffected

7.1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/586b219a22b1032b28b8bd356b963276c5e5bf53

git.kernel.org/...c/f46093dd22969037beb1fce2e043f3236be41c92

git.kernel.org/...c/60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f

git.kernel.org/...c/da3039e91d1f835874ed6e9a33ea19ee80c2cb92

cve.org (CVE-2026-53193)

nvd.nist.gov (CVE-2026-53193)

Download JSON