Linux Kernel ALSA USB Audio Vulnerability in MIDI Output Handling

Vulnerability

A vulnerability in the Linux kernel's ALSA USB audio subsystem has been addressed. The issue arose in the 'snd_usbmidi_output_open()' function, which improperly used 'snd_BUG_ON()' to check for a NULL port. While this check was intended to catch a potential bug, it created confusion by suggesting a real error, especially after a recent encounter with 'syzbot'. The NULL port can occur when a device provides an invalid endpoint setup in the descriptor, leading the driver to skip allocation. The vulnerability has been resolved by removing the misleading 'snd_BUG_ON()' usage.

Impact

The removal of the 'snd_BUG_ON()' check clarifies the function's behavior, preventing false bug reports while maintaining proper error handling for invalid endpoint setups.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel ALSA USB Audio Vulnerability in MIDI Output Handling

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating