CVE-2025-40296
Description
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: int3472: Fix double free of GPIO device during unregister
regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe.
This behavior can also be reproduced by unloading the module directly.
Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A double-free vulnerability in the Linux kernel's int3472 driver causes system instability when unregistering regulators, fixed by removing redundant GPIO device release.
Vulnerability
Overview
The vulnerability is a double-free bug in the Linux kernel's int3472 platform driver (drivers/platform/x86/intel/int3472/). When regulator_unregister() is called, it already frees the associated GPIO device. However, the driver also attempts to free the same GPIO device again, leading to a double-free condition. This issue manifests on ThinkPad X9 (Lunar Lake) systems and can be triggered during driver unregistration or probe deferral.
Exploitation
Conditions
The double free occurs when the driver defers its probe, causing the reference count of the pinctrl_intel_platform module to unexpectedly drop to zero. The same behavior can be reproduced by directly unloading the module. Exploitation requires local access to the system, as the attacker must be able to trigger driver unload or probe deferral. No special privileges are needed beyond the ability to interact with kernel modules.
Impact
When the double free occurs, it corrupts kernel memory, leading to random failures in other drivers that attempt to allocate interrupts. Notably, the Intel THC (Touch Host Controller) driver is affected, resulting in system instability, crashes, or denial of service. The vulnerability does not directly allow privilege escalation but can disrupt system operation.
Mitigation
The fix is included in Linux kernel stable commit [1], which removes the redundant release of the GPIO device during regulator unregistration. Users should apply the kernel patch or update to a version containing this commit to prevent the double free.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2b8113bb56c45f0f7a3f542c1Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.