Double Free Vulnerability in Linux Kernel Affects ThinkPad X9 Devices
CVE-2025-40296

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 8 December 2025

What is CVE-2025-40296?

A vulnerability in the Linux kernel related to the GPIO device management has been identified, specifically impacting ThinkPad X9 devices. This issue arises during the unregistration of GPIO devices, leading to a double free condition which can cause random failures as other drivers, notably Intel THC, attempt to allocate interrupts. The trouble is traced back to an unexpected drop in the reference count of the pinctrl_intel_platform module when its probe is deferred. To mitigate this flaw, the redundant release of the GPIO device during the regulator's unregistration process has been removed, ensuring system stability and security.

Affected Version(s)

Linux 1e5d088a52c207bcef6a43a6f6ffe162c514ed64

Linux 6.16

References

https://git.kernel.org/stable/c/b8113bb56c45bd17bac5144b5...

https://git.kernel.org/stable/c/f0f7a3f542c1698edb69075f2...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 8, 2025
Vulnerability Reserved
Apr 16, 2025

JSON