CVE-2023-54022
Unknown Unknown - Not Provided

Memory Leak in Linux Kernel ALSA USB-Audio MIDI 2.0 Component

Vulnerability report for CVE-2023-54022, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential memory leaks at error path for UMP open The allocation and initialization errors at alloc_midi_urbs() that is called at MIDI 2.0 / UMP device are supposed to be handled at the caller side by invoking free_midi_urbs(). However, free_midi_urbs() loops only for ep->num_urbs entries, and since ep->num_entries wasn't updated yet at the allocation / init error in alloc_midi_urbs(), this entry won't be released. The intention of free_midi_urbs() is to release the whole elements, so change the loop size to NUM_URBS to scan over all elements for fixing the missed releases. Also, the call of free_midi_urbs() is missing at snd_usb_midi_v2_open(). Although it'll be released later at reopen/close or disconnection, it's better to release immediately at the error path.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-07-06
AI Q&A
2025-12-24
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a potential memory leak in the Linux kernel's ALSA usb-audio driver related to MIDI 2.0 / UMP devices. Specifically, when an error occurs during allocation and initialization in the alloc_midi_urbs() function, the cleanup function free_midi_urbs() does not release all allocated memory because it loops based on an outdated count of entries. This causes some memory not to be freed immediately, leading to a memory leak. The fix involves changing the loop to cover all elements and adding a missing call to free_midi_urbs() in the error path to release memory promptly.

Impact Analysis

This vulnerability can lead to memory leaks in the Linux kernel when using USB audio devices with MIDI 2.0 / UMP support. Over time, these leaks could consume system memory unnecessarily, potentially degrading system performance or causing instability if the leaks accumulate significantly.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the ALSA usb-audio component has the fix for the memory leak in alloc_midi_urbs(), specifically where free_midi_urbs() properly releases all elements and is called at the error path in snd_usb_midi_v2_open().

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-54022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart