{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40249", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.181Z", "datePublished": "2025-12-04T16:08:12.206Z", "dateUpdated": "2025-12-04T16:08:12.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-04T16:08:12.206Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: cdev: make sure the cdev fd is still active before emitting events\n\nWith the final call to fput() on a file descriptor, the release action\nmay be deferred and scheduled on a work queue. The reference count of\nthat descriptor is still zero and it must not be used. It's possible\nthat a GPIO change, we want to notify the user-space about, happens\nAFTER the reference count on the file descriptor associated with the\ncharacter device went down to zero but BEFORE the .release() callback\nwas called from the workqueue and so BEFORE we unregistered from the\nnotifier.\n\nUsing the regular get_file() routine in this situation triggers the\nfollowing warning:\n\n struct file::f_count incremented from zero; use-after-free condition present!\n\nSo use the get_file_active() variant that will return NULL on file\ndescriptors that have been or are being released."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpio/gpiolib-cdev.c"], "versions": [{"version": "40b7c49950bd56c984b1f6722f865b922879260e", "lessThan": "dccc6daa8afa0f64c432e4c867f275747e3415e1", "status": "affected", "versionType": "git"}, {"version": "40b7c49950bd56c984b1f6722f865b922879260e", "lessThan": "d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpio/gpiolib-cdev.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.10", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.17.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c867f275747e3415e1"}, {"url": "https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64"}], "title": "gpio: cdev: make sure the cdev fd is still active before emitting events", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: cdev: make sure the cdev fd is still active before emitting events\n\nWith the final call to fput() on a file descriptor, the release action\nmay be deferred and scheduled on a work queue. The reference count of\nthat descriptor is still zero and it must not be used. It's possible\nthat a GPIO change, we want to notify the user-space about, happens\nAFTER the reference count on the file descriptor associated with the\ncharacter device went down to zero but BEFORE the .release() callback\nwas called from the workqueue and so BEFORE we unregistered from the\nnotifier.\n\nUsing the regular get_file() routine in this situation triggers the\nfollowing warning:\n\n struct file::f_count incremented from zero; use-after-free condition present!\n\nSo use the get_file_active() variant that will return NULL on file\ndescriptors that have been or are being released."}], "id": "CVE-2025-40249", "lastModified": "2025-12-04T17:15:08.283", "metrics": {}, "published": "2025-12-04T16:16:18.380", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c867f275747e3415e1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: gpio: cdev: make sure the cdev fd is still active before emitting events", "id": "2418886", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418886"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ngpio: cdev: make sure the cdev fd is still active before emitting events\nWith the final call to fput() on a file descriptor, the release action\nmay be deferred and scheduled on a work queue. The reference count of\nthat descriptor is still zero and it must not be used. It's possible\nthat a GPIO change, we want to notify the user-space about, happens\nAFTER the reference count on the file descriptor associated with the\ncharacter device went down to zero but BEFORE the .release() callback\nwas called from the workqueue and so BEFORE we unregistered from the\nnotifier.\nUsing the regular get_file() routine in this situation triggers the\nfollowing warning:\nstruct file::f_count incremented from zero; use-after-free condition present!\nSo use the get_file_active() variant that will return NULL on file\ndescriptors that have been or are being released."], "name": "CVE-2025-40249", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-40249\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40249\nhttps://lore.kernel.org/linux-cve-announce/2025120430-CVE-2025-40249-3972@gregkh/T"], "threat_severity": "Important"}

{}