{ "threat_severity" : "Moderate", "public_date" : "2025-06-18T00:00:00Z", "bugzilla" : { "description" : "kernel: smb: client: Fix use-after-free in cifs_fill_dirent", "id" : "2373329", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373329" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: Fix use-after-free in cifs_fill_dirent\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n==================================================================\nBUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\nRead of size 4 at addr ffff8880099b819c by task a.out/342975\nCPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0x53/0x70\nprint_report+0xce/0x640\nkasan_report+0xb8/0xf0\ncifs_fill_dirent+0xb03/0xb60 [cifs]\ncifs_readdir+0x12cb/0x3190 [cifs]\niterate_dir+0x1a1/0x520\n__x64_sys_getdents+0x134/0x220\ndo_syscall_64+0x4b/0x110\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f996f64b9f9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\nf0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8\nRSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\nRAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\nR13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n\nAllocated by task 408:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x14/0x30\n__kasan_slab_alloc+0x6e/0x70\nkmem_cache_alloc_noprof+0x117/0x3d0\nmempool_alloc_noprof+0xf2/0x2c0\ncifs_buf_get+0x36/0x80 [cifs]\nallocate_buffers+0x1d2/0x330 [cifs]\ncifs_demultiplex_thread+0x22b/0x2690 [cifs]\nkthread+0x394/0x720\nret_from_fork+0x34/0x70\nret_from_fork_asm+0x1a/0x30\nFreed by task 342979:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x14/0x30\nkasan_save_free_info+0x3b/0x60\n__kasan_slab_free+0x37/0x50\nkmem_cache_free+0x2b8/0x500\ncifs_buf_release+0x3c/0x70 [cifs]\ncifs_readdir+0x1c97/0x3190 [cifs]\niterate_dir+0x1a1/0x520\n__x64_sys_getdents64+0x134/0x220\ndo_syscall_64+0x4b/0x110\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nThe buggy address belongs to the object at ffff8880099b8000\nwhich belongs to the cache cifs_request of size 16588\nThe buggy address is located 412 bytes inside of\nfreed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0x80000000000040(head|node=0|zone=1)\npage_type: f5(slab)\nraw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\nhead: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\nhead: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\nhead: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n^\nffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nPOC is available in the link [1].\nThe problem triggering process is as follows:\nProcess 1 Process 2\n-----------------------------------\n---truncated---", "A use-after-free flaw was found in cifs_fill_dirent in fs/cifs/readdir.c in smb client in the Linux Kernel. This flaw could allow an attacker to crash the system due to race problem. This vulnerability could even lead to a kernel information leak problem." ], "statement" : "This Moderate impact flaw in the Linux kernel's SMB client (CIFS) can lead to a system crash or information disclosure due to a race problem, leading to a use-after-free vulnerability during directory operations. Red Hat Enterprise Linux 8, 9, and 10 are affected when utilizing the CIFS client functionality.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2761", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.60.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-01-19T00:00:00Z", "advisory" : "RHSA-2026:0760", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.94.1.rt7.435.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-01-19T00:00:00Z", "advisory" : "RHSA-2026:0759", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.94.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0643", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.181.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0533", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.183.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0533", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.183.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0536", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.175.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0536", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.175.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0536", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.175.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1445", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.126.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1445", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.126.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1494", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.163.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1495", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.163.1.rt21.235.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2560", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.156.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2583", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.156.1.rt14.441.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-04T00:00:00Z", "advisory" : "RHSA-2026:1879", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.109.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2352", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.86.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38051\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38051\nhttps://lore.kernel.org/linux-cve-announce/2025061831-CVE-2025-38051-77da@gregkh/T" ], "name" : "CVE-2025-38051", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }