CVE-2025-39997

Linux Kernel 6.16.0-6.16.10, 6.17.0 - Use-After-Free in ALSA USB Audio MIDI Endpoint Cleanup

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer. However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely. Additionally, since kill-cleanup for urb is also missing, freed memory can be accessed in interrupt context related to urb, which can cause UAF. Therefore, to prevent this, error timer and urb must be killed before freeing the heap memory.

Scores

EPSS 0.0019
EPSS Percentile 8.9%

Details

Status published
Products (23)
linux/Kernel < 6.1.175linux
linux/Kernel 6.16.0 - 6.16.11linux
linux/Kernel 6.16.0 - 6.17.1linux
linux/Kernel 6.17.0 - 6.17.1linux
linux/Kernel 6.2.0 - 6.16.11linux
Linux/Linux < 6.16
Linux/Linux 06513dd6d32c37d0364db8488cfdf3e14da238a8 - e63f049c7764b615d1d50cb486745fa63372b42d
Linux/Linux 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 - 353d8c715cc951a980728133c9dd64ca5a0a186c
Linux/Linux 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 - 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3
Linux/Linux 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 - af600e7f5526d16146b3ae99f6ad57bfea79ca33
... and 13 more
Published Oct 15, 2025
Tracked Since Feb 18, 2026