CVE-2025-38105
BaseFortify
Publication date: 2025-07-03
Last updated on: 2026-03-25
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can cause kernel warnings and potentially unstable behavior in the Linux kernel when the USB-audio MIDI driver timer remains active after the driver is freed improperly. This could lead to system instability or debugging difficulties, especially when debug configurations are enabled.
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's USB-audio MIDI driver where a timer is not properly stopped when the driver is freed without a disconnect call. This can leave the timer active while the associated object is released, causing a kernel warning when debug mode is enabled. The issue is fixed by properly shutting down the timer during the freeing process and replacing the timer deletion method in the disconnect callback.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch or update to a Linux kernel version where the USB-audio MIDI driver properly kills the timer by using timer_shutdown_sync() in snd_usbmidi_free() and replacing timer_delete_sync() with timer_shutdown_sync() in the disconnect callback. This ensures the timer is properly shut down and prevents kernel warnings or potential issues related to the timer being active after the driver is freed.