CVE-2016-9794
kernel: ALSA: Use-after-free in kill_fasync
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.
Condición de carrera en la función snd_pcm_period_elapsed en sound/core/pcm_lib.c en el subsistema de ALSA en el kernel de Linux en versiones anteriores a 4.7 permite a usuarios locales provocar una denegación de servicio (uso después de liberación de memoria) o posiblemente tener otro impacto no especificado a través de un comando SNDRV_PCM_TRIGGER_START manipulado.
A use-after-free vulnerability was found in ALSA pcm layer, which allows local users to cause a denial of service, memory corruption, or possibly other unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
An update that solves four vulnerabilities and has one errata is now available. This update for the Linux Kernel 3.12.51-52_39 fixes several issues. The following security bugs were fixed. Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted application that made sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated. Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command. The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability. The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel did not properly restrict the type of iterator, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service by leveraging access to a /dev/sg device.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-12-02 CVE Reserved
- 2016-12-14 CVE Published
- 2024-08-06 CVE Updated
- 2025-06-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CWE-416: Use After Free
CAPEC
References (16)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/94654 | Third Party Advisory | |
https://patchwork.kernel.org/patch/8752621 | Issue Tracking | |
https://source.android.com/security/bulletin/2017-05-01 | Third Party Advisory |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 3.2.85 Search vendor "Linux" for product "Linux Kernel" and version " < 3.2.85" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.3 < 3.10.105 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.105" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.11 < 3.12.69 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.69" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 3.16.40 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.16.40" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.17 < 3.18.52 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.52" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.19 < 4.4.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.4.37" | - |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.5 < 4.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.7" | - |
Affected
|