CVE-2025-39937

Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkillfindtype() gets called with the possibly uninitialized "const char *type_name;" local variable.

On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpidevice, the rfkill->type is set based on the ACPI acpidevice_id:

    rfkill->type = (unsigned)id->driver_data;

and there is no "type" property so devicepropertyreadstring() will fail and leave typename uninitialized, leading to a potential crash.

rfkillfindtype() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL.

Note likely sofar this has not been caught because:

Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device
The stack happened to contain NULL where type_name is stored

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39937.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.0

Fixed

5.4.300

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.245

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.194

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.154

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.108

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.49

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.16.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39937.json"