VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 4, 2025· Updated Apr 15, 2026

CVE-2025-40249

CVE-2025-40249

Description

In the Linux kernel, the following vulnerability has been resolved:

gpio: cdev: make sure the cdev fd is still active before emitting events

With the final call to fput() on a file descriptor, the release action may be deferred and scheduled on a work queue. The reference count of that descriptor is still zero and it must not be used. It's possible that a GPIO change, we want to notify the user-space about, happens AFTER the reference count on the file descriptor associated with the character device went down to zero but BEFORE the .release() callback was called from the workqueue and so BEFORE we unregistered from the notifier.

Using the regular get_file() routine in this situation triggers the following warning:

struct file::f_count incremented from zero; use-after-free condition present!

So use the get_file_active() variant that will return NULL on file descriptors that have been or are being released.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in the Linux kernel's GPIO character device driver where a file descriptor with zero refcount could be used to emit events before release completes.

Root

Cause

In the Linux kernel's GPIO character device (gpio-cdev), the final fput() on a file descriptor may defer the release action to a work queue. Between the time the reference count drops to zero and the .release() callback is invoked (which unregisters from the notifier), a GPIO change notification could attempt to use the file descriptor. Using get_file() on a zero-refcount file triggers a kernel warning about a use-after-free condition [1].

Exploitation

An attacker would need to open a GPIO line handle via /dev/gpiochipN and trigger a GPIO state change after closing the file descriptor but before the deferred release completes. The race window exists during the asynchronous cleanup of the character device file. No special privileges beyond access to the GPIO character device are required; however, physical or logical access to trigger GPIO changes is necessary [1].

Impact

Successful exploitation could lead to a use-after-free condition on the file structure, potentially resulting in memory corruption, denial of service (system crash), or in specific configurations, privilege escalation. The kernel's warning indicates memory corruption is possible [1].

Mitigation

The fix was committed to the Linux kernel stable tree (commit d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64) and uses get_file_active() instead of get_file(), which returns NULL if the file descriptor is already being released, thereby preventing the unsafe operation [1]. Users should update to a kernel version containing this commit.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

2
dccc6daa8afa
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d4cd0902c156
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.