VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-40070

CVE-2025-40070

Description

In the Linux kernel, the following vulnerability has been resolved:

pps: fix warning in pps_register_cdev when register device fail

Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen.

------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace:

kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Before commit c79a39dc8d06 ("pps: Fix a use-after-free"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it.

Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing release hook in the Linux kernel's PPS driver can trigger a kernel warning when device registration fails, potentially leading to a denial of service.

Vulnerability

Overview

In the Linux kernel, the PPS (Pulse Per Second) driver's pps_register_cdev() function fails to set the device release hook before calling device_register(). When device_register() returns an error, put_device() triggers the release callback, but because the hook is not set, a kernel warning is generated. This issue a stack trace [1]. This is similar to a previously fixed issue in the V4L2 video device driver (commit 2a934fdb01db).

Exploitation

Conditions

The vulnerability can be triggered by an unprivileged user through the PPS line discipline (pps-ldisc). By opening a TTY device and setting the line discipline to PPS via TIOCSETD ioctl, the kernel calls pps_tty_open(), which eventually invokes pps_register_source() and then pps_register_cdev(). If the device registration fails (e.g., due to resource exhaustion), the missing release hook causes the warning [1]. No special privileges are required beyond access to a TTY device.

Impact

An attacker who can trigger the error path can cause a kernel warning, which may result in a denial of service (system crash or hang) depending on the kernel configuration (e.g., if panic_on_warn is set). The warning itself is a local denial-of-service condition, as it can disrupt system stability [1].

Mitigation

The fix is to set the release hook (kfree_pps) before calling device_register(), similar to the fix in the V4L2 driver. The patch has been applied to the Linux kernel stable branches [1][2][3]. Users should update to a kernel version containing the fix (e.g., commits b0531cdba502, f01fa3588e0b, 38c7bb10aae5). No workaround is available; updating the kernel is the recommended mitigation.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

8
38c7bb10aae5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
2a194707ca27
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
125527db4180
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4cbd7450a22c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
cf71834a0cfc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f01fa3588e0b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0f97564a1fb6
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b0531cdba502
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.