DEBIAN-CVE-2026-23158

In the Linux kernel, the following vulnerability has been resolved:  gpio: virtuser: fix UAF in configfs release path  The gpio-virtuser configfs release path uses guard(mutex) to protect the device structure. However, the device is freed before the guard cleanup runs, causing mutexunlock() to operate on freed memory.  Specifically, gpiovirtuserdeviceconfiggrouprelease() destroys the mutex and frees the device while still inside the guard(mutex) scope. When the function returns, the guard cleanup invokes mutexunlock(&dev->lock), resulting in a slab use-after-free.  Limit the mutex lifetime by using a scopedguard() only around the activation check, so that the lock is released before mutex_destroy() and kfree() are called.