CVE-2025-40249 in Linux
Summary
by MITRE • 12/04/2025
In the Linux kernel, the following vulnerability has been resolved:
gpio: cdev: make sure the cdev fd is still active before emitting events
With the final call to fput() on a file descriptor, the release action may be deferred and scheduled on a work queue. The reference count of that descriptor is still zero and it must not be used. It's possible that a GPIO change, we want to notify the user-space about, happens AFTER the reference count on the file descriptor associated with the character device went down to zero but BEFORE the .release() callback was called from the workqueue and so BEFORE we unregistered from the notifier.
Using the regular get_file() routine in this situation triggers the following warning:
struct file::f_count incremented from zero; use-after-free condition present!
So use the get_file_active() variant that will return NULL on file descriptors that have been or are being released.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/24/2026
This vulnerability exists within the Linux kernel's GPIO character device subsystem where a race condition can occur during file descriptor cleanup and event notification. The issue manifests when a GPIO change event needs to be communicated to userspace while the associated file descriptor is in the process of being released. The kernel's GPIO character device implementation uses a character device (cdev) interface to provide GPIO access to userspace applications, and this specific flaw occurs during the teardown process of file descriptors that are associated with GPIO notifications. The vulnerability is particularly concerning because it involves a use-after-free condition that can lead to system instability or potential privilege escalation.
The technical flaw stems from improper handling of file descriptor reference counts during the cleanup phase of GPIO character device operations. When a userspace application closes a GPIO character device file descriptor, the kernel schedules the actual release action on a work queue rather than executing it immediately. During this deferral period, if a GPIO event occurs, the system attempts to notify userspace using the regular get_file() function. However, since the file descriptor's reference count has already reached zero, calling get_file() triggers a warning about incrementing a reference count from zero, indicating a potential use-after-free scenario. This condition violates fundamental kernel safety principles and can lead to memory corruption or system crashes.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation or denial of service attacks. Attackers could exploit this race condition by rapidly opening and closing GPIO character device file descriptors while simultaneously triggering GPIO events, creating a window where the kernel's notification mechanism attempts to access freed memory structures. This scenario could be particularly dangerous in embedded systems or real-time applications where GPIO operations are frequent and critical for system operation. The vulnerability affects any Linux system running a kernel version that includes the affected GPIO character device code, making it a widespread concern for device drivers and embedded systems.
Mitigation strategies for this vulnerability require both kernel-level fixes and operational precautions. The primary fix involves implementing the get_file_active() function variant which properly handles file descriptors that are in the process of being released, returning NULL for such descriptors instead of attempting to increment a reference count from zero. This approach aligns with common security practices for preventing use-after-free conditions and follows the principle of defensive programming. System administrators should ensure their kernels are updated to versions containing the patched GPIO character device implementation, while developers should review their GPIO event handling code to ensure proper synchronization with file descriptor cleanup operations. The fix also demonstrates adherence to security standards such as CWE-416, which addresses use-after-free vulnerabilities, and reflects best practices for kernel-level memory management and concurrent access control.