CVE-2024-56625 is a vulnerability identified in the Linux kernel related to the CAN (Controller Area Network) device driver, specifically in the function can_set_termination(). The issue arises from the way GPIO (General Purpose Input/Output) pins are controlled for termination support in CAN devices. A commit (6e86a1543c37) introduced optional GPIO-based termination support using the function gpiod_set_value() to set GPIO values. However, this function is not suitable for GPIOs that can enter sleep states, such as those managed via I2C port expanders. Using gpiod_set_value() on sleeping GPIOs triggers kernel warnings and potentially unstable behavior because it does not handle the necessary sleeping context properly. The correct approach is to use gpiod_set_value_cansleep(), which is designed to safely set GPIO values even when the GPIOs may sleep. The vulnerability is essentially a misuse of GPIO APIs in the kernel driver, which can lead to kernel warnings and potentially impact device stability or reliability. This issue affects Linux kernel versions containing the specified commit and has been publicly disclosed without known exploits in the wild. No CVSS score has been assigned yet.

For European organizations relying on Linux-based systems with CAN bus devices that utilize GPIO termination via sleeping GPIOs (e.g., behind I2C port expanders), this vulnerability could cause kernel warnings and potentially disrupt CAN device operation. This may lead to degraded system stability or intermittent failures in critical embedded systems or industrial control environments where CAN bus is prevalent. While this vulnerability does not directly lead to privilege escalation or remote code execution, the instability or unexpected behavior in kernel space could impact availability and reliability of systems. Organizations in sectors such as automotive manufacturing, industrial automation, and embedded device production—where Linux and CAN bus are common—may experience operational disruptions if unpatched. The absence of known exploits reduces immediate risk, but the issue should be addressed to maintain system robustness.

To mitigate this vulnerability, organizations should update their Linux kernel to a version where the patch replacing gpiod_set_value() with gpiod_set_value_cansleep() in the CAN driver is applied. Kernel maintainers and distributors should prioritize releasing patched kernel versions. For embedded or industrial systems using custom kernels, developers must audit GPIO handling in CAN drivers to ensure sleeping GPIOs are managed with the correct API. Additionally, system integrators should verify that their hardware configurations involving GPIOs behind I2C port expanders are tested against the patched kernel to prevent kernel warnings and instability. Monitoring kernel logs for related warnings can help detect unpatched systems. Since this vulnerability is related to kernel driver implementation, generic mitigations like disabling CAN devices are impractical; patching is the primary solution.