CVE-2025-21783 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

gpiolib: Fix crash on error in gpiochip_get_ngpios()

The gpiochip_get_ngpios() uses chip_*() macros to print messages. However these macros rely on gpiodev to be initialised and set, which is not the case when called via bgpio_init(). In such a case the printing messages will crash on NULL pointer dereference. Replace chip_*() macros by the respective dev_*() ones to avoid such crash.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability identified as CVE-2025-21783 resides within the Linux kernel's GPIO (General Purpose Input/Output) subsystem, specifically affecting the gpiolib component responsible for managing GPIO chip operations. This issue manifests as a critical crash condition that occurs during the initialization of GPIO chips through the bgpio_init() function, representing a fundamental flaw in the kernel's error handling and resource management mechanisms. The vulnerability demonstrates a classic null pointer dereference scenario that can lead to system instability and potential denial of service conditions.

The technical root cause of this vulnerability stems from the improper use of chip_() macros within the gpiochip_get_ngpios() function, which are designed to output diagnostic messages during GPIO chip operations. These macros are specifically intended to work in conjunction with the gpiodev initialization process, which establishes the necessary context for proper message formatting and output handling. However, when the function is invoked through the bgpio_init() pathway, the gpiodev structure remains uninitialized, creating a scenario where the chip_() macros attempt to dereference a NULL pointer during message generation, resulting in an immediate system crash.

The operational impact of this vulnerability extends beyond simple system instability, as it affects the kernel's ability to properly initialize GPIO chips in embedded systems and hardware platforms that rely on bit-banged GPIO implementations. This crash condition can occur during early boot processes or when GPIO chip drivers attempt to query the number of GPIO lines available, potentially preventing system boot completion or causing unexpected system reboots. The vulnerability particularly affects systems utilizing the background GPIO (bgpio) driver framework where GPIO operations are performed without proper initialization of the GPIO device framework components.

The fix implemented addresses this issue by replacing the problematic chip_() macros with their dev_() macro counterparts, which do not require the gpiodev initialization to function properly. This change ensures that diagnostic messages can be generated even when the GPIO device framework is not yet fully initialized, preventing the null pointer dereference that previously caused the system crash. The solution aligns with established kernel development practices for error handling and resource management, ensuring that functions can operate correctly regardless of the initialization state of supporting subsystems. This remediation approach follows the principle of defensive programming and demonstrates adherence to security best practices outlined in various kernel security guidelines and standards.

This vulnerability classifies under CWE-476 as a NULL Pointer Dereference, representing a common yet critical weakness in kernel space code where assumptions about resource initialization are violated. The issue also relates to ATT&CK technique T1068 which involves exploitation of legitimate credentials and system privileges, as kernel crashes can provide attackers with opportunities to escalate privileges or cause system instability. The fix demonstrates proper error handling mechanisms and proper use of kernel APIs that align with security standards such as those recommended by the Linux Kernel Security Team and the Open Source Security Foundation. Organizations deploying Linux-based systems should prioritize this patch to maintain system stability and prevent potential exploitation of the crash condition.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00208

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!