CVE-2022-50229: ALSA: bcd2000: Fix a UAF bug on the error path of probing
In the Linux kernel, the following vulnerability has been resolved:
ALSA: bcd2000: Fix a UAF bug on the error path of probing
When the driver fails in snd_card_register() at probe time, it will free
the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.
The following log can reveal it:
[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
[ 50.729530] Call Trace:
[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
Fix this by adding usb_kill_urb() before usb_free_urb().
Security readout for executives and security teams
Plain-English summary
CVE-2022-50229 is a Linux kernel bug in the ALSA bcd2000 driver. If device probing fails at a specific registration step, the driver can free a USB request before stopping it, creating a use-after-free condition. The public sources do not show active exploitation or a CVSS score.
Executive priority
Treat this as a targeted Linux kernel maintenance item, not an emergency. Patch through normal kernel update channels, with higher priority for workstations, labs, kiosks, or servers where untrusted USB devices may be attached.
Technical view
The issue occurs on the probe error path when snd_card_register() fails. The driver frees bcd2k->midi_out_urb before killing it, and KASAN showed use-after-free in bcd2000_input_complete. The upstream fix adds usb_kill_urb() before usb_free_urb().
Likely exposure
Exposure appears limited to Linux systems running affected kernels with the ALSA bcd2000 driver reachable during device probing. The provided data names Linux kernel versions and stable commits, but does not define distributions, default module loading, or remote reachability.
Exploitation context
The bundle does not cite known exploitation, and KEV is false. The described trigger is a driver probe failure path, suggesting local hardware or USB-adjacent exposure rather than a general remote service risk. Evidence is incomplete on practical exploitability.
Researcher notes
The strongest evidence is the upstream kernel description and stable commit references. Severity, CVSS, CWE, exploitability, and distribution impact are not provided. Avoid claiming privilege escalation, code execution, or active exploitation without additional vendor or researcher evidence.
Mitigation direction
Update to a kernel build containing the relevant stable bcd2000 fix commit.
Check Linux distribution advisories for backported fixes in supported kernel packages.
Prioritize systems where untrusted USB devices can be attached.
If updates are delayed, follow vendor guidance for reducing bcd2000 driver exposure.
Validation and detection
Inventory Linux kernel versions against the affected version list in the CVE record.
Confirm distro kernel changelogs include the bcd2000 usb_kill_urb before usb_free_urb fix.
Check whether the snd_bcd2000 driver is present or loadable on exposed systems.
Review fleet policy for systems allowing untrusted USB device attachment.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50229 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
10Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:04 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.