{"id":"CVE-2026-53193","summary":"ALSA: timer: Forcibly close timer instances at closing","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Forcibly close timer instances at closing\n\nWhen snd_timer object is freed via snd_timer_free() and still pending\nsnd_timer_instance objects are assigned to the timer object, it tries\nto unlink all instances and just set NULL to each ti-\u003etimer, then\nreleases the resources immediately.  The problem is, however, when\nthere are slave timer instances that are associated with a master\ninstance linked to this timer: namely, those slave instances still\npoint to the freed timer object although the master instance is\nunlinked, which may lead to user-after-free.  The bug can be easily\ntriggered particularly when a new userspace-driven timers\n(CONFIG_SND_UTIMER) is involved, since it can create and delete the\ntimer object via a simple file open/close, while the other\napplications may keep accessing to that timer.\n\nThis patch is an attempt to paper over the problem above: now instead\nof just unlinking, call snd_timer_close[_locked]() forcibly for each\npending timer instance, so that all assigned slave timer instances are\nproperly detached, too.  Since snd_timer_close() might be called later\nby the driver that created that instance, the check of\nSNDRV_TIMER_IFLG_DEAD is added at the beginning, too.","modified":"2026-07-08T08:09:46.573033038Z","published":"2026-06-25T08:39:04.346Z","related":["CGA-v5x5-84f3-25gh"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53193.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/586b219a22b1032b28b8bd356b963276c5e5bf53"},{"type":"WEB","url":"https://git.kernel.org/stable/c/60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da3039e91d1f835874ed6e9a33ea19ee80c2cb92"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f46093dd22969037beb1fce2e043f3236be41c92"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53193.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53193"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"37745918e0e7575bc40f38da93a99b9fa6406224"},{"fixed":"586b219a22b1032b28b8bd356b963276c5e5bf53"},{"fixed":"f46093dd22969037beb1fce2e043f3236be41c92"},{"fixed":"60e73ab87b84bbd6bd7ddd1d16019a3a3705ab8f"},{"fixed":"da3039e91d1f835874ed6e9a33ea19ee80c2cb92"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53193.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.12.0"},{"fixed":"6.12.94"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.36"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53193.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}