HIGH Published 2026-02-14

gpio virtuser ConfigFS UAF

CVE-2026-23158

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix UAF in configfs release path The gpio-virtuser configfs release path uses guard(mutex) to protect the device structure. However, the device is freed before the guard cleanup runs, causing mutex_unlock() to operate on freed memory. Specifically, gpio_virtuser_device_config_group_release() destroys the mutex and frees the device while still inside the guard(mutex) scope. When the function returns, the guard cleanup invokes mutex_unlock(&dev->lock), resulting in a slab use-after-free. Limit the mutex lifetime by using a scoped_guard() only around the activation check, so that the lock is released before mutex_destroy() and kfree() are called.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in the GPIO virtual user driver's configfs release path could allow local attackers with sufficient privileges to cause system crashes or potentially execute arbitrary code. The vulnerability occurs when the driver attempts to unlock a mutex on already-freed memory during cleanup operations.

Affecteddrivers/gpio/gpio-virtuser.c

Vulnerability analysis

Root Cause: The gpio-virtuser configfs release function uses guard(mutex) to protect the device structure, but the device is freed (via kfree) while still inside the guard scope. When the function returns, the guard cleanup mechanism attempts to call mutex_unlock() on the already-freed device's mutex, resulting in a use-after-free condition.

Attack Surface: This vulnerability affects the configfs interface of the gpio-virtuser driver, which is a virtual testing driver for GPIO API. The attack surface is local and requires the ability to interact with configfs, typically requiring elevated privileges to mount/access configfs filesystems.

Fix Mechanism: The patch replaces guard(mutex) with scoped_guard(mutex) that limits the mutex lifetime to only the activation check section. This ensures the mutex is unlocked before mutex_destroy() and kfree() are called, preventing the use-after-free when the guard cleanup runs.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.69	`815a8e3bf728`
6.18	6.18.9	`7bec90f605cf`
mainline	6.19	`53ad4a948a45`