CVE-2025-39997 – ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

CVE ID : CVE-2025-39997

Published : Oct. 15, 2025, 8:15 a.m. | 24 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

The previous commit 0718a78f6a9f (“ALSA: usb-audio: Kill timer properly at
removal”) patched a UAF issue caused by the error timer.

However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.

Additionally, since kill-cleanup for urb is also missing, freed memory can
be accessed in interrupt context related to urb, which can cause UAF.

Therefore, to prevent this, error timer and urb must be killed before
freeing the heap memory.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…