CVE-2025-40249Use of Expired File Descriptor in Linux

CWE-910Use of Expired File Descriptor18 documents6 sources
Severity
7.2HIGHOSV
No vector
EPSS
0.0%
top 89.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedDec 4
Latest updateApr 6

Description

In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: make sure the cdev fd is still active before emitting events With the final call to fput() on a file descriptor, the release action may be deferred and scheduled on a work queue. The reference count of that descriptor is still zero and it must not be used. It's possible that a GPIO change, we want to notify the user-space about, happens AFTER the reference count on the file descriptor associated with the character

Affected Packages5 packages

Linuxlinux/linux_kernel6.13.06.17.10
Debianlinux/linux_kernel< 6.17.10-1
Ubuntulinux/linux_kernel< 6.17.0-19.19
CVEListV5linux/linux40b7c49950bd56c984b1f6722f865b922879260edccc6daa8afa0f64c432e4c867f275747e3415e1+2
debiandebian/linux< linux 6.17.10-1 (forky)

🔴Vulnerability Details

9
OSV
linux-oem-6.17 vulnerabilities2026-04-06
OSV
linux-raspi vulnerabilities2026-04-01
OSV
linux-azure, linux-azure-6.17 vulnerabilities2026-03-25
OSV
linux-realtime-6.17 vulnerabilities2026-03-23
OSV
linux-gcp-6.17, linux-realtime vulnerabilities2026-03-17

📋Vendor Advisories

8
Ubuntu
Linux kernel (OEM) vulnerabilities2026-04-06
Ubuntu
Linux kernel (Raspberry Pi) vulnerabilities2026-04-01
Ubuntu
Linux kernel (Azure) vulnerabilities2026-03-25
Ubuntu
Linux kernel (Real-time) vulnerabilities2026-03-23
Ubuntu
Linux kernel vulnerabilities2026-03-17