CVE-2025-40070 in Linuxinfo

Summary

by MITRE • 10/28/2025

In the Linux kernel, the following vulnerability has been resolved:

pps: fix warning in pps_register_cdev when register device fail

Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen.

------------[ cut here ]------------
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: <TASK> kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline]
tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>

Before commit c79a39dc8d06 ("pps: Fix a use-after-free"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it.

Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability described in CVE-2025-40070 pertains to a flaw in the Linux kernel's PPS (Pulse Per Second) subsystem, specifically within the pps_register_cdev function. This issue manifests as a warning during device registration failure scenarios, where improper error handling leads to potential use-after-free conditions. The vulnerability arises from the sequence of operations during device registration, where the release hook is not properly established before device registration occurs, creating a race condition that can trigger kernel warnings and instability. The warning trace indicates a failure in the device_release function within the kernel's base core module, specifically at line 2567 in drivers/base/core.c, which occurs when put_device attempts to invoke the release function on a device that has not been properly initialized.

The technical root cause stems from improper ordering of operations in the pps_register_cdev function, where device_register() is called before the release hook is properly set. This mirrors a previously identified issue in the V4L2 subsystem, as referenced in commit 2a934fdb01db, demonstrating a recurring pattern in kernel device management where error handling sequences must be carefully ordered to prevent undefined behavior. When device_register() returns an error, the subsequent call to put_device() attempts to invoke the release function, but due to the improper initialization sequence, this can lead to a kernel warning and potential memory corruption. The issue is compounded by the fact that device_create() was previously used to initialize dev->release to device_create_release(), but this initialization is not properly coordinated with the error handling flow, leading to the warning message shown in the stack trace.

The operational impact of this vulnerability is significant within kernel environments that utilize PPS devices, particularly in systems requiring precise time synchronization or embedded applications where kernel stability is paramount. The warning message indicates a potential for use-after-free conditions, which can lead to system crashes, memory corruption, or in more severe cases, privilege escalation opportunities. Attackers could potentially exploit this timing issue to cause denial of service or, in scenarios where the kernel's memory management is compromised, gain elevated privileges. The vulnerability affects the broader Linux kernel ecosystem, particularly systems that rely on PPS functionality for timekeeping, such as GPS receivers, network time protocol implementations, and precision timing applications. The error handling sequence failure impacts not only the immediate device registration but also the overall reliability of kernel subsystems that depend on proper device lifecycle management.

Mitigation strategies for this vulnerability should focus on ensuring proper ordering of device registration operations and implementing robust error handling patterns within the PPS subsystem. The fix involves removing the outdated comment that referenced the previous implementation and properly handling the release hook before device registration occurs, as demonstrated by the referenced commit c79a39dc8d06. System administrators should ensure that all kernel updates are applied promptly to address this vulnerability, particularly in production environments where kernel stability is critical. The fix also includes removing the kfree_pps call in pps_register_source() to prevent double-free conditions during failure cases, which aligns with common security practices for preventing memory corruption vulnerabilities. Additionally, implementing proper kernel hardening measures, such as enabling kernel address space layout randomization and stack canaries, can provide additional defense in depth against potential exploitation of similar timing-based vulnerabilities. This issue also highlights the importance of adhering to established kernel development practices and following the ATT&CK framework's considerations for kernel-level attacks, where improper resource management can lead to privilege escalation and system compromise. The vulnerability classification aligns with CWE-415, which addresses double free conditions, and CWE-457, which covers use of uninitialized variables, both of which are common in kernel memory management errors.

Responsible

Linux

Reservation

04/16/2025

Disclosure

10/28/2025

Moderation

accepted

CPE

ready

EPSS

0.00193

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!