// For flags

CVE-2016-9794

kernel: ALSA: Use-after-free in kill_fasync

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.

Condición de carrera en la función snd_pcm_period_elapsed en sound/core/pcm_lib.c en el subsistema de ALSA en el kernel de Linux en versiones anteriores a 4.7 permite a usuarios locales provocar una denegación de servicio (uso después de liberación de memoria) o posiblemente tener otro impacto no especificado a través de un comando SNDRV_PCM_TRIGGER_START manipulado.

A use-after-free vulnerability was found in ALSA pcm layer, which allows local users to cause a denial of service, memory corruption, or possibly other unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.

An update that solves four vulnerabilities and has one errata is now available. This update for the Linux Kernel 3.12.51-52_39 fixes several issues. The following security bugs were fixed. Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted application that made sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated. Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command. The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability. The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel did not properly restrict the type of iterator, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service by leveraging access to a /dev/sg device.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Local
Attack Complexity
High
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-12-02 CVE Reserved
  • 2016-12-14 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-06-21 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-416: Use After Free
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
< 3.2.85
Search vendor "Linux" for product "Linux Kernel" and version " < 3.2.85"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.3 < 3.10.105
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.3 < 3.10.105"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.11 < 3.12.69
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.11 < 3.12.69"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.13 < 3.16.40
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 3.16.40"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.17 < 3.18.52
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.17 < 3.18.52"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.19 < 4.4.37
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.19 < 4.4.37"
-
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.5 < 4.7
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.5 < 4.7"
-
Affected