CVE-2022-49545: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49545 affects the Linux kernel's ALSA (Advanced Linux Sound Architecture) USB-audio subsystem. The vulnerability was discovered and disclosed in February 2025, specifically related to a race condition in the MIDI substream closing process. The issue affects the USB MIDI output functionality in the Linux kernel's sound system (NVD, Ubuntu).

The vulnerability occurs when closing a USB MIDI output substream, where a pending work might still be active and could potentially access the rawmidi runtime object that is being released. This creates a race condition that could lead to memory access issues. The fix involves ensuring that any pending work is properly cancelled before closing the substream (Kernel Commit).

The vulnerability could potentially lead to memory corruption or system instability when USB MIDI devices are disconnected or when their audio streams are closed. This affects systems using USB audio devices with MIDI capabilities (NVD).

The issue has been fixed in the Linux kernel by adding a call to cancel_work_sync() before closing the MIDI substream. Users are advised to update their kernel to a version containing the fix. Various Linux distributions have incorporated the patch into their kernel updates (Kernel Commit).