Security Vulnerability Report
中文
CVE-2025-39960 CVSS 7.8 HIGH

CVE-2025-39960

Published: 2025-10-09 13:15:32
Last Modified: 2026-02-26 22:51:48
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: gpiolib: acpi: initialize acpi_gpio_info struct Since commit 7c010d463372 ("gpiolib: acpi: Make sure we fill struct acpi_gpio_info"), uninitialized acpi_gpio_info struct are passed to __acpi_find_gpio() and later in the call stack info->quirks is used in acpi_populate_gpio_lookup. This breaks the i2c_hid_cpi driver: [ 58.122916] i2c_hid_acpi i2c-UNIW0001:00: HID over i2c has not been provided an Int IRQ [ 58.123097] i2c_hid_acpi i2c-UNIW0001:00: probe with driver i2c_hid_acpi failed with error -22 Fix this by initializing the acpi_gpio_info pass to __acpi_find_gpio()

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:* - VULNERABLE
Linux Kernel 引入commit 7c010d463372之后到修复commit 19c839a98c731169f06d32e7c9e00c78a0086ebe之前的版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-39960 PoC - Demonstrating uninitialized struct usage in gpiolib:acpi // This PoC shows the kernel code path that triggers the vulnerability // The vulnerable code path is in drivers/gpio/gpiolib-acpi.c // Before the fix, acpi_gpio_info was not initialized before being passed // to __acpi_find_gpio() #include <linux/init.h> #include <linux/acpi.h> // Simulate the vulnerable call pattern static int trigger_vuln_path(struct acpi_device *adev) { struct acpi_gpio_info info; // BUG: uninitialized struct! // Fix would be: memset(&info, 0, sizeof(info)); // This call uses info.quirks which contains garbage struct gpio_desc *desc = __acpi_find_gpio(adev, NULL, 0, &info); if (IS_ERR(desc)) { // Returns -22 (EINVAL) due to uninitialized quirks pr_err("GPIO lookup failed: %ld\n", PTR_ERR(desc)); return PTR_ERR(desc); } return 0; } // Trigger via i2c_hid_acpi driver probe // On affected systems, loading i2c_hid_acpi will show: // [ 58.122916] i2c_hid_acpi i2c-UNIW0001:00: HID over i2c has not been provided an Int IRQ // [ 58.123097] i2c_hid_acpi i2c-UNIW0001:00: probe with driver i2c_hid_acpi failed with error -22 // To reproduce: // 1. Boot a kernel with the vulnerable commit (7c010d463372) but without the fix // 2. Ensure an I2C HID device is present (e.g., touchscreen) // 3. Observe the probe failure in dmesg

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-39960", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-09T13:15:32.130", "lastModified": "2026-02-26T22:51:48.127", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: acpi: initialize acpi_gpio_info struct\n\nSince commit 7c010d463372 (\"gpiolib: acpi: Make sure we fill struct\nacpi_gpio_info\"), uninitialized acpi_gpio_info struct are passed to\n__acpi_find_gpio() and later in the call stack info->quirks is used in\nacpi_populate_gpio_lookup. This breaks the i2c_hid_cpi driver:\n\n[ 58.122916] i2c_hid_acpi i2c-UNIW0001:00: HID over i2c has not been provided an Int IRQ\n[ 58.123097] i2c_hid_acpi i2c-UNIW0001:00: probe with driver i2c_hid_acpi failed with error -22\n\nFix this by initializing the acpi_gpio_info pass to __acpi_find_gpio()"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.16.9", "matchCriteriaId": "A29694A5-4AF1-4C6F-8828-187FA35BAC01"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/19c839a98c731169f06d32e7c9e00c78a0086ebe", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/27d94a2a52cbb54927c0140bd5b978c56e9a283a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.