{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Kernel: Use-after-free in GPIO character device allows privilege escalation or denial of service",
    "id" : "2418886",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2418886"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-910",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ngpio: cdev: make sure the cdev fd is still active before emitting events\nWith the final call to fput() on a file descriptor, the release action\nmay be deferred and scheduled on a work queue. The reference count of\nthat descriptor is still zero and it must not be used. It's possible\nthat a GPIO change, we want to notify the user-space about, happens\nAFTER the reference count on the file descriptor associated with the\ncharacter device went down to zero but BEFORE the .release() callback\nwas called from the workqueue and so BEFORE we unregistered from the\nnotifier.\nUsing the regular get_file() routine in this situation triggers the\nfollowing warning:\nstruct file::f_count incremented from zero; use-after-free condition present!\nSo use the get_file_active() variant that will return NULL on file\ndescriptors that have been or are being released.", "A flaw was found in the Linux kernel's GPIO (General Purpose Input/Output) character device. A local attacker with low privileges could exploit a use-after-free vulnerability. This occurs when a GPIO change event is emitted after a file descriptor's reference count has dropped to zero, but before its release callback is invoked. This could lead to privilege escalation or a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-03-09T00:00:00Z",
    "advisory" : "RHSA-2026:4012",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.43.1.el10_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40249\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40249\nhttps://lore.kernel.org/linux-cve-announce/2025120430-CVE-2025-40249-3972@gregkh/T" ],
  "name" : "CVE-2025-40249",
  "csaw" : false
}