CVE-2025-39997

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free<br /> <br /> The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at<br /> removal") patched a UAF issue caused by the error timer.<br /> <br /> However, because the error timer kill added in this patch occurs after the<br /> endpoint delete, a race condition to UAF still occurs, albeit rarely.<br /> <br /> Additionally, since kill-cleanup for urb is also missing, freed memory can<br /> be accessed in interrupt context related to urb, which can cause UAF.<br /> <br /> Therefore, to prevent this, error timer and urb must be killed before<br /> freeing the heap memory.