CVE-2025-21661 is a vulnerability identified in the Linux kernel's gpio virtuser subsystem, specifically related to the handling of lookup tables during device probing and registration. The issue arises when a virtuser device is created via configfs and the probe operation fails due to an incorrect lookup table. In such cases, the faulty lookup table is not properly removed, which blocks subsequent probe attempts from succeeding even if the underlying issue is corrected, unless the device is explicitly released. Additionally, the vulnerability includes a memory leak in the lookup_table->dev_id structure, detected through kmemleak analysis when toggling the live state between 0 and 1 with a correct lookup table. The root cause is the absence of proper cleanup routines for the lookup table in failure scenarios, including the less common platform_device_register_full() failure path. The fix involves introducing a dedicated cleanup function, gpio_virtuser_remove_lookup_table(), which is invoked at all necessary failure points to ensure that resources are correctly freed and the system state remains consistent. This vulnerability primarily affects Linux kernel versions identified by the commit hash 91581c4b3f29e2e22aeb1a62e842d529ca638b2d and likely impacts systems using the gpio virtuser interface for virtual GPIO devices. Although no known exploits are currently reported in the wild, the issue could lead to denial of service conditions or resource exhaustion due to memory leaks and persistent probe failures, potentially impacting system stability and availability.

For European organizations, the impact of CVE-2025-21661 depends largely on the deployment of Linux systems utilizing the gpio virtuser subsystem, which is typically found in embedded systems, IoT devices, and specialized hardware platforms. Organizations in sectors such as manufacturing, telecommunications, automotive, and critical infrastructure that rely on Linux-based embedded devices could experience degraded device functionality or system instability. The inability to recover from probe failures without device release may cause operational disruptions, especially in environments requiring high availability and reliability. The memory leak component could lead to gradual resource depletion, increasing the risk of system crashes or forced reboots, which in turn could affect service continuity. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact could be significant in industrial control systems or network equipment. Given the widespread use of Linux across European enterprises and public sector entities, failure to address this vulnerability could result in increased maintenance overhead and potential downtime, particularly in organizations with large-scale deployments of affected devices.

To mitigate CVE-2025-21661, European organizations should: 1) Apply the official Linux kernel patches that introduce gpio_virtuser_remove_lookup_table() and related cleanup fixes as soon as they become available from trusted Linux kernel maintainers or distributions. 2) Audit and inventory devices and systems that utilize the gpio virtuser interface, prioritizing those in critical operational roles. 3) Implement monitoring for unusual device probe failures and memory usage patterns indicative of leaks, enabling early detection of exploitation or malfunction. 4) Where possible, configure devices to allow safe release and re-probing of virtuser devices to recover from probe failures. 5) Collaborate with hardware and software vendors to ensure firmware and driver updates incorporate the fix. 6) Incorporate this vulnerability into vulnerability management and patching workflows, ensuring timely updates and regression testing to avoid operational disruptions. 7) For embedded or IoT devices where patching the kernel is challenging, consider network segmentation and access controls to limit exposure and impact.