CVE-2025-40249

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel related to GPIO character device handling. Specifically, the issue arises when a GPIO change event occurs after the file descriptor associated with the character device has been released but before the release callback is executed. This can lead to a use-after-free condition, potentially causing system instability. The problem occurs because the reference count of the file descriptor may be zero when attempting to notify user-space about the GPIO change. Using the regular get file() routine in this situation can trigger a warning indicating a use-after-free condition. The get file active() variant is designed to prevent this by returning NULL if the file descriptor is being released.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.