CVE-2025-40249 (GCVE-0-2025-40249)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: make sure the cdev fd is still active before emitting events With the final call to fput() on a file descriptor, the release action may be deferred and scheduled on a work queue. The reference count of that descriptor is still zero and it must not be used. It's possible that a GPIO change, we want to notify the user-space about, happens AFTER the reference count on the file descriptor associated with the character device went down to zero but BEFORE the .release() callback was called from the workqueue and so BEFORE we unregistered from the notifier. Using the regular get_file() routine in this situation triggers the following warning: struct file::f_count incremented from zero; use-after-free condition present! So use the get_file_active() variant that will return NULL on file descriptors that have been or are being released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 40b7c49950bd56c984b1f6722f865b922879260e , < dccc6daa8afa0f64c432e4c867f275747e3415e1 (git)
Affected: 40b7c49950bd56c984b1f6722f865b922879260e , < d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64 (git)
Create a notification for this product.
    Linux Linux Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpiolib-cdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dccc6daa8afa0f64c432e4c867f275747e3415e1",
              "status": "affected",
              "version": "40b7c49950bd56c984b1f6722f865b922879260e",
              "versionType": "git"
            },
            {
              "lessThan": "d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64",
              "status": "affected",
              "version": "40b7c49950bd56c984b1f6722f865b922879260e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpiolib-cdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: cdev: make sure the cdev fd is still active before emitting events\n\nWith the final call to fput() on a file descriptor, the release action\nmay be deferred and scheduled on a work queue. The reference count of\nthat descriptor is still zero and it must not be used. It\u0027s possible\nthat a GPIO change, we want to notify the user-space about, happens\nAFTER the reference count on the file descriptor associated with the\ncharacter device went down to zero but BEFORE the .release() callback\nwas called from the workqueue and so BEFORE we unregistered from the\nnotifier.\n\nUsing the regular get_file() routine in this situation triggers the\nfollowing warning:\n\n  struct file::f_count incremented from zero; use-after-free condition present!\n\nSo use the get_file_active() variant that will return NULL on file\ndescriptors that have been or are being released."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T16:08:12.206Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c867f275747e3415e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64"
        }
      ],
      "title": "gpio: cdev: make sure the cdev fd is still active before emitting events",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40249",
    "datePublished": "2025-12-04T16:08:12.206Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T16:08:12.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40249\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-04T16:16:18.380\",\"lastModified\":\"2025-12-04T17:15:08.283\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngpio: cdev: make sure the cdev fd is still active before emitting events\\n\\nWith the final call to fput() on a file descriptor, the release action\\nmay be deferred and scheduled on a work queue. The reference count of\\nthat descriptor is still zero and it must not be used. It\u0027s possible\\nthat a GPIO change, we want to notify the user-space about, happens\\nAFTER the reference count on the file descriptor associated with the\\ncharacter device went down to zero but BEFORE the .release() callback\\nwas called from the workqueue and so BEFORE we unregistered from the\\nnotifier.\\n\\nUsing the regular get_file() routine in this situation triggers the\\nfollowing warning:\\n\\n  struct file::f_count incremented from zero; use-after-free condition present!\\n\\nSo use the get_file_active() variant that will return NULL on file\\ndescriptors that have been or are being released.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c867f275747e3415e1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.