CVE-2025-38051

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---

Reserved 2025-04-16 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linux

Product status

Default status
unaffected

a364bc0b37f14ffd66c1f982af42990a9d77fa43 before aee067e88d61eb72e966f094e4749c6b14e7008f
affected

a364bc0b37f14ffd66c1f982af42990a9d77fa43 before a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e
affected

a364bc0b37f14ffd66c1f982af42990a9d77fa43 before 1b197931fbc821bc7e9e91bf619400db563e3338
affected

a364bc0b37f14ffd66c1f982af42990a9d77fa43 before c8623231e0edfcccb7cc6add0288fa0f0594282f
affected

a364bc0b37f14ffd66c1f982af42990a9d77fa43 before 73cadde98f67f76c5eba00ac0b72c453383cec8b
affected

a364bc0b37f14ffd66c1f982af42990a9d77fa43 before 9bea368648ac46f8593a780760362e40291d22a9
affected

a364bc0b37f14ffd66c1f982af42990a9d77fa43 before 9c9aafbacc183598f064902365e107b5e856531f
affected

a364bc0b37f14ffd66c1f982af42990a9d77fa43 before a7a8fe56e932a36f43e031b398aef92341bf5ea0
affected

0f3da51e7046e2eb28992ba65c22d058f571356c
affected

Default status
affected

2.6.28
affected

Any version before 2.6.28
unaffected

5.4.294
unaffected

5.10.238
unaffected

5.15.185
unaffected

6.1.141
unaffected

6.6.93
unaffected

6.12.31
unaffected

6.14.9
unaffected

6.15
unaffected

References

git.kernel.org/...c/aee067e88d61eb72e966f094e4749c6b14e7008f

git.kernel.org/...c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e

git.kernel.org/...c/1b197931fbc821bc7e9e91bf619400db563e3338

git.kernel.org/...c/c8623231e0edfcccb7cc6add0288fa0f0594282f

git.kernel.org/...c/73cadde98f67f76c5eba00ac0b72c453383cec8b

git.kernel.org/...c/9bea368648ac46f8593a780760362e40291d22a9

git.kernel.org/...c/9c9aafbacc183598f064902365e107b5e856531f

git.kernel.org/...c/a7a8fe56e932a36f43e031b398aef92341bf5ea0

cve.org (CVE-2025-38051)

nvd.nist.gov (CVE-2025-38051)

Download JSON