2404127 – (CVE-2025-39997) CVE-2025-39997 kernel: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

Bug 2404127 (CVE-2025-39997) - CVE-2025-39997 kernel: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

Summary: CVE-2025-39997 kernel: ALSA: usb-audio: fix race condition to UAF in snd_usbm...

Keywords:
Status:	NEW
Alias:	CVE-2025-39997
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-15 09:02 UTC by OSIDB Bzimport
Modified:	2025-10-16 14:05 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-15 09:02:00 UTC

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
removal") patched a UAF issue caused by the error timer.

However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.

Additionally, since kill-cleanup for urb is also missing, freed memory can
be accessed in interrupt context related to urb, which can cause UAF.

Therefore, to prevent this, error timer and urb must be killed before
freeing the heap memory.

Comment 1 Mauro Matteo Cascella 2025-10-15 16:31:42 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025101528-CVE-2025-39997-4384@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.