CVE-2025-39997

Vulnerability

Overview

CVE-2025-39997 is a use-after-free (UAF) vulnerability in the Linux kernel's ALSA USB-audio MIDI subsystem, specifically in the snd_usbmidi_free function. The root cause is a race condition where the error timer and associated URBs are not properly cleaned up before heap memory is freed. A previous fix (commit 0718a78f6a9f) attempted to address a similar UAF by killing the timer at removal, but it placed the timer kill after the endpoint delete, leaving a window for a race condition to still occur. Additionally, the cleanup of URBs was missing entirely, allowing freed memory to be accessed in interrupt context [1][2][3].

Exploitation

An attacker with local access to the system can trigger the race condition by manipulating USB device hotplug or MIDI device operations. The vulnerability requires the ability to cause the USB audio device to be removed while MIDI operations are in progress. No special privileges beyond the ability to interact with USB devices are needed, but the attack is dependent on precise timing to hit the race window.

Impact

Successful exploitation leads to a use-after-free condition, which can result in memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context. The UAF occurs when the freed memory is accessed by the error timer callback or URB completion handler, giving an attacker control over kernel memory.

Mitigation

The fix is included in the Linux kernel stable tree as commits af600e7f5526, dc4874366cf6, and 353d8c715cc9. These patches ensure that the error timer and all URBs are killed before freeing the heap memory, closing the race window. Users should apply the updated kernel version containing these commits.