CVE-2025-38105

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38105
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38105.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38105
Downstream
Related
Published
2025-07-03T08:35:15.301Z
Modified
2026-03-11T07:46:00.755228Z
Summary
ALSA: usb-audio: Kill timer properly at removal
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Kill timer properly at removal

The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via sndusbmidifree(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer.

For avoiding the problem, put timershutdownsync() at sndusbmidifree(), so that the timer can be killed properly. While we're at it, replace the existing timerdeletesync() at the disconnect callback with timershutdownsync(), too.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38105.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c88469704d63787e8d44ca5ea1c1bd0adc29572d
Fixed
647410a7da46067953a53c0d03f8680eff570959
Fixed
c611b9e55174e439dcd85a72969b43a95f3827a4
Fixed
62066758d2ae169278e5d6aea5995b1b6f6ddeb5
Fixed
0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38105.json"