CVE-2025-21661: 
Linux Debian vulnerability analysis and mitigation

A vulnerability in the Linux kernel's GPIO virtuser driver was discovered and resolved on January 21, 2025. The issue occurs when a virtuser device is created via configfs and the probe fails due to an incorrect lookup table, where the table is not properly removed. This vulnerability is tracked as CVE-2025-21661 (NVD, Debian).

The vulnerability stems from a cleanup issue in the GPIO virtuser driver where the lookup table is not properly removed after a failed probe attempt. Additionally, cleanup is also needed in the case of platformdeviceregisterfull() failure. A consistent memory leak in lookuptable->dev_id was identified using kmemleak by toggling the live state between 0 and 1 with a correct lookup table (Kernel Commit).

The vulnerability prevents subsequent probe attempts from succeeding, even if the issue is corrected, unless the device is released. This can lead to system resource leaks and potential denial of service conditions (NVD).

The issue has been fixed by introducing gpiovirtuserremovelookuptable() as the counterpart to the existing gpiovirtusermakelookuptable() and calling it from all necessary points to ensure proper cleanup. The fix is included in the Linux kernel commit a619cba8c69c (Kernel Commit).