CVE-2025-71290 Overview
CVE-2025-71290 is a memory leak vulnerability in the Linux kernel's ti_fpc202 miscellaneous driver. The flaw resides in the driver's probe function, where iterating over child device nodes did not consistently release device node references. The fix replaces the open-coded iteration with for_each_child_of_node_scoped(), ensuring the device node reference is automatically released when the loop scope ends. The issue is tracked through the upstream Linux kernel stable tree commits.
Critical Impact
The defect can leak device_node references during probe, contributing to long-term kernel memory pressure on systems that exercise the affected driver path.
Affected Products
- Linux kernel versions containing the misc/ti_fpc202 driver prior to the fix
- Distributions that ship the ti_fpc202 driver in their kernel packages
- Embedded systems and platforms using Texas Instruments FPC202 hardware support
Discovery Timeline
- 2026-05-06 - CVE-2025-71290 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71290
Vulnerability Analysis
The vulnerability is a memory leak [CWE-401] in the probe function of the ti_fpc202 misc driver. During probe, the driver walks the device tree to enumerate child nodes representing FPC202 hardware ports. Each call to functions in the of_get_*_child family returns a reference-counted device_node pointer. Without an explicit of_node_put() on every exit path, the reference count is never decremented and the node remains pinned in memory.
The upstream fix migrates the iteration to the for_each_child_of_node_scoped() macro. This macro uses the compiler's cleanup attribute to automatically release the device_node reference when the loop variable goes out of scope. The change eliminates the manual reference management that was the source of the leak.
The EPSS probability for this issue is 0.017%, consistent with a local kernel reliability defect rather than a remotely exploitable flaw.
Root Cause
The root cause is improper reference counting on device_node objects within the ti_fpc202 probe path. When the original loop exited early on an error or completed without calling of_node_put() on the held child reference, the kernel retained an unnecessary reference to the device tree node. Repeated probe and unbind cycles compound the leak.
Attack Vector
The vulnerability is not network reachable. It requires the affected driver to be loaded and the ti_fpc202 device tree binding to be present on the system. Local users cannot directly trigger the leak without privileged access to bind, unbind, or hot-plug the device. The practical impact is constrained to platforms that integrate FPC202 hardware.
No public exploit code is available. Refer to the upstream commits for technical details: Linux Kernel Commit d2975604, Linux Kernel Commit dad9f13d, and Linux Kernel Commit dd16f314.
Detection Methods for CVE-2025-71290
Indicators of Compromise
- Gradual increase in non-reclaimable kernel memory on systems that bind and unbind the ti_fpc202 driver repeatedly
- Elevated device_node counts visible through /sys/kernel/debug/devices_kset or kernel reference tracing
- Kernel build identifier or uname -r reporting a Linux version preceding the upstream fix commits
Detection Strategies
- Audit running kernel versions across Linux fleet inventory and compare against the patched stable releases referenced in the upstream commits
- Use kmemleak on test systems to confirm presence of leaked allocations originating from the ti_fpc202 probe path
- Track module load events for ti_fpc202 and correlate with subsequent memory growth in Slab and KernelStack counters from /proc/meminfo
Monitoring Recommendations
- Monitor kernel memory consumption trends on embedded and industrial Linux platforms that load the ti_fpc202 driver
- Alert on unexplained growth in slab caches associated with device tree node allocations
- Centralize kernel and dmesg logs for correlation across the fleet to spot anomalous probe or rebind activity
How to Mitigate CVE-2025-71290
Immediate Actions Required
- Apply the stable kernel updates corresponding to commits d2975604, dad9f13d, and dd16f314 from the upstream Linux stable tree
- Validate that distribution kernel packages have absorbed the fix and schedule a coordinated reboot for affected hosts
- For embedded targets, rebuild and redeploy device firmware images with the patched kernel
Patch Information
The vulnerability is resolved upstream in the Linux kernel by replacing manual child-node iteration with for_each_child_of_node_scoped() in the ti_fpc202 probe function. The fix is available in the stable kernel commits d2975604bf1b, dad9f13d967b, and dd16f314cb10. Apply the latest stable point release containing these commits.
Workarounds
- Blacklist the ti_fpc202 module on systems that do not require the FPC202 hardware until the kernel can be updated
- Avoid repeated bind and unbind cycles of the driver to limit the rate of leaked references in unpatched kernels
- Schedule periodic reboots on affected long-running systems to clear accumulated leaked allocations as a temporary measure
# Configuration example: blacklist the ti_fpc202 module until patch deployment
echo "blacklist ti_fpc202" | sudo tee /etc/modprobe.d/blacklist-ti_fpc202.conf
sudo update-initramfs -u
# Verify the running kernel after patching
uname -r
modinfo ti_fpc202 | grep -E '^(filename|version|srcversion):'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

