usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12464
Reference (s):
- https://security.netapp.com/advisory/ntap-20200608-0001/
- DEBIAN:DSA-4698
- URL: https://www.debian.org/security/2020/dsa-4698
- DEBIAN:DSA-4699
- URL: https://www.debian.org/security/2020/dsa-4699