{
  "threat_severity" : "Low",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ALSA: usb-audio: Fix potential memory leaks",
    "id" : "2401488",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401488"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-911",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nALSA: usb-audio: Fix potential memory leaks\nWhen the driver hits -ENOMEM at allocating a URB or a buffer, it\naborts and goes to the error path that releases the all previously\nallocated resources.  However, when -ENOMEM hits at the middle of the\nsync EP URB allocation loop, the partially allocated URBs might be\nleft without released, because ep->nurbs is still zero at that point.\nFix it by setting ep->nurbs at first, so that the error handler loops\nover the full URB list.", "A memory leak was found in the Linux kernel's USB audio driver in the synchronization endpoint URB allocation path. When memory allocation fails partway through allocating URBs for a sync endpoint, the error handling code fails to release the partially allocated URBs because the endpoint's URB counter hasn't been updated yet. This leaves allocated URBs orphaned in memory, leading to resource exhaustion and denial of service with repeated failures." ],
  "statement" : "USB audio devices often use isochronous endpoints for audio streaming, with separate synchronization endpoints for clock recovery. During initialization, the driver allocates multiple URBs (USB Request Blocks) for these endpoints. The allocation happens in a loop: create URB, allocate buffer, repeat. The ep->nurbs field tracks how many URBs have been successfully allocated. Here's the problem: ep->nurbs is only set after the entire loop completes successfully. If allocation fails midway—say, the driver successfully allocates 5 URBs but fails on the 6th due to -ENOMEM—the error handler is supposed to clean up. It loops from 0 to ep->nurbs, freeing each URB. But since ep->nurbs is still zero (it was never updated), the loop doesn't execute at all. The 5 successfully allocated URBs are simply abandoned. Each time USB audio initialization fails under memory pressure, more URBs leak. The fix is simple: set ep->nurbs before starting the loop, so the cleanup knows how far to iterate.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50484\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50484\nhttps://lore.kernel.org/linux-cve-announce/2025100440-CVE-2022-50484-1a6a@gregkh/T" ],
  "name" : "CVE-2022-50484",
  "csaw" : false
}