Use-After-Free Vulnerability in Linux Kernel GPIO Character Device
CVE-2025-40249

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-40249?

A use-after-free vulnerability exists in the GPIO character device interface of the Linux kernel. Due to a flaw in the handling of the reference count for file descriptors, a situation may arise where the user-space is notified of a GPIO change after the reference count has dropped to zero but before the corresponding release callback has been executed. This could allow the system to attempt accessing a file descriptor that is no longer valid, leading to potential security risks. Affected systems should ensure proper handling of file descriptors to avoid triggering the associated warnings and to maintain system integrity.

Affected Version(s)

Linux 40b7c49950bd56c984b1f6722f865b922879260e

Linux 6.13

References

https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c86...

https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Apr 16, 2025

JSON