Race Condition Vulnerability in Linux Kernel ALSA USB-Audio Module
CVE-2025-39997

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-39997?

A vulnerability exists in the Linux kernel's ALSA usb-audio subsystem, where a race condition could lead to a Use After Free (UAF) situation. After a previous fix aimed to address a UAF issue linked to an error timer, it was discovered that a race condition can still occur due to the order of operations during endpoint deletion. This flaw allows access to freed memory in an interrupt context related to USB request blocks (urb), potentially leading to undefined behavior. To mitigate this, both the error timer and urb must be terminated before freeing the associated heap memory.

Affected Version(s)

Linux 647410a7da46067953a53c0d03f8680eff570959

Linux c611b9e55174e439dcd85a72969b43a95f3827a4 < 647d6b8d22be12842fde6ed0c56859ebc615f21e

Linux 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1

References

https://git.kernel.org/stable/c/dc4874366cf6cf4a31d8fa4b7...

https://git.kernel.org/stable/c/647d6b8d22be12842fde6ed0c...

https://git.kernel.org/stable/c/af600e7f5526d16146b3ae99f...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Apr 16, 2025

JSON