AZL-70627

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70627.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-70627

Upstream

CVE-2025-38105

Published

2025-07-03T09:15:23Z

Modified

2026-04-01T05:21:57.698367Z

Summary

CVE-2025-38105 affecting package kernel 5.15.200.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Kill timer properly at removal

The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via sndusbmidifree(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer.

For avoiding the problem, put timershutdownsync() at sndusbmidifree(), so that the timer can be killed properly. While we're at it, replace the existing timerdeletesync() at the disconnect callback with timershutdownsync(), too.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38105

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.15.200.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70627.json"