CVE-2025-37891: 
Linux Kernel vulnerability analysis and mitigation

A buffer overflow vulnerability (CVE-2025-37891) was discovered in the Linux kernel's ALSA (Advanced Linux Sound Architecture) UMP (Universal MIDI Packet) subsystem on May 19, 2025. The vulnerability affects the MIDI 1.0 to UMP packet conversion function, specifically in the handling of SysEx messages (NVD, Wiz).

The vulnerability exists in the conversion function from MIDI 1.0 to UMP packet, which contains an internal buffer designed to store incoming MIDI bytes. The buffer was set to 4 bytes, assuming it would be sufficient for MIDI1 UMP packet data. However, the implementation overlooked that SysEx messages can require up to 6 bytes, as implemented in the doconvertto_ump() function. According to Red Hat's assessment, this vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Wiz).

When a longer SysEx message is received, the buffer overflow can occur, potentially leading to memory corruption. This vulnerability affects various versions of Red Hat Enterprise Linux and its derivatives, including versions 6, 7, 8, and 9, as well as multiple Ubuntu releases (Wiz).

The fix involves extending the buffer size from 4 to 6 bytes to properly accommodate SysEx UMP messages. This patch has been implemented in the Linux kernel, and affected users are advised to update their systems with the latest kernel version that includes this fix (NVD).