Linux Kernel up to 6.16.10/6.17.0 ALSA snd_usbmidi_free use after free

Summaryinfo

A vulnerability described as critical has been identified in Linux Kernel up to 6.16.10/6.17.0. This impacts the function snd_usbmidi_free of the component ALSA. Such manipulation leads to use after free. This vulnerability is traded as CVE-2025-39997. There is no exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.16.10/6.17.0. It has been rated as critical. Affected by this issue is the function snd_usbmidi_free of the component ALSA. The manipulation with an unknown input leads to a use after free vulnerability. Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Impacted is confidentiality, integrity, and availability. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer. However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely. Additionally, since kill-cleanup for urb is also missing, freed memory can be accessed in interrupt context related to urb, which can cause UAF. Therefore, to prevent this, error timer and urb must be killed before freeing the heap memory.

The advisory is available at git.kernel.org. This vulnerability is handled as CVE-2025-39997 since 04/16/2025. The exploitation is known to be easy. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 02/08/2026).

The vulnerability scanner Nessus provides a plugin with the ID 271556 (Linux Distros Unpatched Vulnerability : CVE-2025-39997), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.16.11, 6.17.1 or 6.18-rc1 eliminates this vulnerability. Applying the patch dc4874366cf6cf4a31d8fa4b7f0e2a5b2d7647ba/647d6b8d22be12842fde6ed0c56859ebc615f21e/af600e7f5526d16146b3ae99f6ad57bfea79ca33/353d8c715cc951a980728133c9dd64ca5a0a186c/9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (271556) and CERT Bund (WID-SEC-2025-2298). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Affected

• Google Container-Optimized OS
• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• RESF Rocky Linux
• Open Source Linux Kernel
• IBM QRadar SIEM
• Dell NetWorker

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.0
• 6.1
• 6.2
• 6.3
• 6.4
• 6.5
• 6.6
• 6.7
• 6.8
• 6.9
• 6.10
• 6.11
• 6.12
• 6.13
• 6.14
• 6.15
• 6.16
• 6.16.0
• 6.16.1
• 6.16.2
• 6.16.3
• 6.16.4
• 6.16.5
• 6.16.6
• 6.16.7
• 6.16.8
• 6.16.9
• 6.16.10
• 6.17.0

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion