CVE-2016-4578

MEDIUM

Linux Kernel < 4.6 - Information Disclosure via Uninitialized ALSA Timer Data Structures

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4578. PoCs published by wally0813.

AI-analyzed exploit summary This exploit leverages an uninitialized memory leak in the Linux kernel's ALSA timer subsystem (CVE-2016-4578) to disclose kernel pointer addresses via snd_timer_user_ccallback(). It triggers the vulnerability by manipulating timer parameters and reading uninitialized data from the kernel.

Description

sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.

Exploits (1)

exploitdb WORKING POC

by wally0813 · cdoslinux

https://www.exploit-db.com/exploits/46529

View Code ZIP pw:eip

This exploit leverages an uninitialized memory leak in the Linux kernel's ALSA timer subsystem (CVE-2016-4578) to disclose kernel pointer addresses via snd_timer_user_ccallback(). It triggers the vulnerability by manipulating timer parameters and reading uninitialized data from the kernel.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Linux Kernel 4.4 (Ubuntu 16.04)

Auth required

Prerequisites: Access to /dev/snd/timer · Local user privileges

MITRE ATT&CK

T1069 - Permission Groups Discovery T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (31)

Core 31

Core References

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html

Vendor Advisory x_refsource_confirm

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e4ec8cc8039a7063e24204299b462bd1383184a5

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-2584.html

Third Party Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-2574.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3607

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/90535

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3016-2

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3016-1

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3021-1

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3018-1

Vendor Advisory x_refsource_confirm

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2016/05/11/5

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3016-3

Vendor Advisory x_refsource_confirm

https://github.com/torvalds/linux/commit/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3016-4

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3020-1

Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3017-1

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46529/

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3017-3

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3018-2

Vendor Advisory x_refsource_confirm

https://github.com/torvalds/linux/commit/e4ec8cc8039a7063e24204299b462bd1383184a5

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3021-2

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3017-2

Issue Tracking, Third Party Advisory, VDB Entry x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=1335215

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-3019-1

Scores

CVSS v3 5.5

EPSS 0.0121

EPSS Percentile 64.7%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (20)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 15.10

canonical/ubuntu_linux 16.04

debian/debian_linux 8.0

linux/linux_kernel < 4.6

opensuse/leap 42.1

opensuse/opensuse 13.1

redhat/enterprise_linux_desktop 7.0

redhat/enterprise_linux_server 7.0

... and 10 more

Published May 23, 2016

Tracked Since Feb 18, 2026