CVE-2022-49545

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Cancel pending work at closing a MIDI substream

At closing a USB MIDI output substream, there might be still a pending
work, which would eventually access the rawmidi runtime object that is
being released.  For fixing the race, make sure to cancel the pending
work at closing.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
LinuxCNA
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
VendorProductVersion
linuxlinux_kernel
𝑥
< 5.10.121
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.46
linuxlinux_kernel
5.16 ≤
𝑥
< 5.17.14
linuxlinux_kernel
5.18 ≤
𝑥
< 5.18.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.234-1
fixed
bookworm
6.1.123-1
fixed
bookworm (security)
6.1.128-1
fixed
trixie
6.12.12-1
fixed
sid
6.12.16-1
fixed
References
https://git.kernel.org/stable/c/0125de38122f0f66bf61336158d12a1aabfe6425
https://git.kernel.org/stable/c/11868ca21585561659c2575b0d6508ef8e9c4291
https://git.kernel.org/stable/c/40bdb5ec957aca5c5c1924602bef6b0ab18e22d3
https://git.kernel.org/stable/c/517dcef4d2dda0132648f1e4c079ed17bba4d1a4
https://git.kernel.org/stable/c/5e5fe2b6065541c6216a7a003b0cddf386be0d2d