CVE-2023-54022
Unknown Unknown - Not Provided
Memory Leak in Linux Kernel ALSA USB-Audio MIDI 2.0 Component

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential memory leaks at error path for UMP open The allocation and initialization errors at alloc_midi_urbs() that is called at MIDI 2.0 / UMP device are supposed to be handled at the caller side by invoking free_midi_urbs(). However, free_midi_urbs() loops only for ep->num_urbs entries, and since ep->num_entries wasn't updated yet at the allocation / init error in alloc_midi_urbs(), this entry won't be released. The intention of free_midi_urbs() is to release the whole elements, so change the loop size to NUM_URBS to scan over all elements for fixing the missed releases. Also, the call of free_midi_urbs() is missing at snd_usb_midi_v2_open(). Although it'll be released later at reopen/close or disconnection, it's better to release immediately at the error path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2023-54022
EUVD
EUVD-2025-205125
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a potential memory leak in the Linux kernel's ALSA usb-audio driver related to MIDI 2.0 / UMP devices. Specifically, when an error occurs during allocation and initialization in the alloc_midi_urbs() function, the cleanup function free_midi_urbs() does not release all allocated memory because it loops based on an outdated count of entries. This causes some memory not to be freed immediately, leading to a memory leak. The fix involves changing the loop to cover all elements and adding a missing call to free_midi_urbs() in the error path to release memory promptly.

Impact Analysis

This vulnerability can lead to memory leaks in the Linux kernel when using USB audio devices with MIDI 2.0 / UMP support. Over time, these leaks could consume system memory unnecessarily, potentially degrading system performance or causing instability if the leaks accumulate significantly.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the ALSA usb-audio component has the fix for the memory leak in alloc_midi_urbs(), specifically where free_midi_urbs() properly releases all elements and is called at the error path in snd_usb_midi_v2_open().

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart