Bug 2492820 (CVE-2026-53241) - CVE-2026-53241 kernel: ALSA: seq: dummy: fix UMP event stack overread
Summary: CVE-2026-53241 kernel: ALSA: seq: dummy: fix UMP event stack overread
Keywords:
Status: NEW
Alias: CVE-2026-53241
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:07 UTC by OSIDB Bzimport
Modified: 2026-06-26 07:09 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:07:29 UTC
In the Linux kernel, the following vulnerability has been resolved:

ALSA: seq: dummy: fix UMP event stack overread

The dummy sequencer port forwards events by copying an incoming
struct snd_seq_event into a stack temporary, rewriting source and
destination, and dispatching the temporary to subscribers. That legacy
event storage is smaller than struct snd_seq_ump_event.

When a UMP event reaches the dummy client, the copy leaves the UMP flag
set but only provides legacy-sized stack storage. The subscriber
delivery path then uses snd_seq_event_packet_size() and copies a
UMP-sized packet from that stack object, reading past the end of the
temporary.

Use the existing union __snd_seq_event storage and copy the packet size
reported for the incoming event before rewriting the common routing
fields. This preserves the full UMP packet for UMP events while keeping
legacy event handling unchanged.


Note You need to log in before you can comment on or make changes to this bug.