CVE-2025-39937
EUVD-2025-3240304.10.2025, 08:15
In the Linux kernel, the following vulnerability has been resolved:
net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from
device property") rfkill_find_type() gets called with the possibly
uninitialized "const char *type_name;" local variable.
On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752"
acpi_device, the rfkill->type is set based on the ACPI acpi_device_id:
rfkill->type = (unsigned)id->driver_data;
and there is no "type" property so device_property_read_string() will fail
and leave type_name uninitialized, leading to a potential crash.
rfkill_find_type() does accept a NULL pointer, fix the potential crash
by initializing type_name to NULL.
Note likely sofar this has not been caught because:
1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device
2. The stack happened to contain NULL where type_name is storedEnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 4.6 ≤ 𝑥 < 5.4.300 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.245 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.194 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.154 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.108 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.49 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.16.9 |
| linux | linux_kernel | 6.17:rc1 |
| linux | linux_kernel | 6.17:rc2 |
| linux | linux_kernel | 6.17:rc3 |
| linux | linux_kernel | 6.17:rc4 |
| linux | linux_kernel | 6.17:rc5 |
| linux | linux_kernel | 6.17:rc6 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References