Home

Description

The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 contains a double-free vulnerability in parse_def() in src/conf.c that allows attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. When parsing nested compound or array configuration blocks, parse_def() fails to check return values before continuing, causing snd_config_delete() to be called twice on the same already-freed node, resulting in a NULL-pointer write or invalid memory read.

PUBLISHED Reserved 2026-06-18 | Published 2026-06-22 | Updated 2026-06-22 | Assigner VulnCheck




HIGH: 7.0CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

MEDIUM: 6.8CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Problem types

Double Free

Product status

Default status
affected

Any version before 1.2.16.1
affected

Credits

Dmitrijs Trizna of Aisle Research finder

Luigino Camastra of Aisle Research finder

Guido Vranken of Aisle Research finder

Ze Sheng of Aisle Research finder

References

lore.kernel.org/...HAcBhAyHUUBPLBN-Yj_SiV6MQ@mail.gmail.com/ (Researcher Disclosure) technical-description exploit

github.com/alsa-project/alsa-lib/releases/tag/v1.2.16.1 (Release Notes) release-notes

github.com/...ommit/536dd6f8affdf5197c12a63a71c92a70b2833cc0 (Patch Commit) patch

www.vulncheck.com/...ary-double-free-via-parse-def-in-conf-c third-party-advisory

cve.org (CVE-2026-56109)

nvd.nist.gov (CVE-2026-56109)

Download JSON