CVE-2025-39960
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: gpiolib: acpi: initialize acpi_gpio_info struct Since commit 7c010d463372 ("gpiolib: acpi: Make sure we fill struct acpi_gpio_info"), uninitialized acpi_gpio_info struct are passed to __acpi_find_gpio() and later in the call stack info->quirks is used in acpi_populate_gpio_lookup. This breaks the i2c_hid_cpi driver: [ 58.122916] i2c_hid_acpi i2c-UNIW0001:00: HID over i2c has not been provided an Int IRQ [ 58.123097] i2c_hid_acpi i2c-UNIW0001:00: probe with driver i2c_hid_acpi failed with error -22 Fix this by initializing the acpi_gpio_info pass to __acpi_find_gpio()
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2025-10-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-39960
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.17
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Linux kernel's gpiolib ACPI component where an uninitialized acpi_gpio_info structure is passed to the __acpi_find_gpio() function. Because the structure is not properly initialized, the driver i2c_hid_cpi fails to operate correctly, resulting in errors such as the HID over i2c device not receiving an interrupt request (IRQ) and the driver probe failing with error -22. The issue was fixed by ensuring the acpi_gpio_info structure is properly initialized before being used.

Impact Analysis

This vulnerability can cause the i2c_hid_cpi driver to fail to initialize properly, leading to malfunction or failure of HID devices that rely on the i2c interface with ACPI GPIO. This may result in input devices such as touchpads or keyboards not working correctly on affected Linux systems.

Detection Guidance

This vulnerability can be detected by checking system logs for specific error messages related to the i2c_hid_acpi driver failure. Look for kernel log entries similar to: '[ 58.122916] i2c_hid_acpi i2c-UNIW0001:00: HID over i2c has not been provided an Int IRQ' and '[ 58.123097] i2c_hid_acpi i2c-UNIW0001:00: probe with driver i2c_hid_acpi failed with error -22'. You can use the command 'dmesg | grep i2c_hid_acpi' or 'journalctl -k | grep i2c_hid_acpi' to find these messages.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Linux kernel to a version that includes the fix for initializing the acpi_gpio_info struct, which prevents the i2c_hid_acpi driver failure. Applying the kernel patch that ensures acpi_gpio_info is properly initialized before being passed to __acpi_find_gpio() will resolve the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39960. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart