A vulnerability was found in the ALSA sh driver of Linux Kernel, when the snd_pcm_substream closes and deallocates aica_channel, which can still be accessed by the spu_dma_work scheduled by dreamcastcard->timer and del_timer() returns directly, allowing the worker thread to be rescheduled during timer handling potentially leads to an Use-After-Free.
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.