CVE-2025-21943

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability in the Linux kernel has been resolved, related to the gpio aggregator driver. The issue arises when the new device store and delete device store handlers touch module global resources, such as gpio aggregator lock, without holding a reference, leading to potential race conditions with module unload. This can cause various issues, including dangling platform devices and GPIO forwarders, resulting in system instability and warnings. A reproducer script demonstrates these problems by concurrently allocating and deallocating devices while unloading the module.

Recommendations To resolve this issue, apply the patch that adds try module get() in the new device store and delete device store handlers. As a temporary workaround, consider restricting the use of the gpio aggregator driver until the patch is applied. Avoid using the new device store and delete device store handlers concurrently with module unload to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.