{
  "threat_severity" : "Moderate",
  "public_date" : "2025-08-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: cifs: Fix the smbd_response slab to allow usercopy",
    "id" : "2388948",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2388948"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1188",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncifs: Fix the smbd_response slab to allow usercopy\nThe handling of received data in the smbdirect client code involves using\ncopy_to_iter() to copy data from the smbd_reponse struct's packet trailer\nto a folioq buffer provided by netfslib that encapsulates a chunk of\npagecache.\nIf, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks\nthen performed in copy_to_iter() oopsing with something like the following:\nCIFS: Attempting to mount //172.31.9.1/test\nCIFS: VFS: RDMA transport established\nusercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)!\n------------[ cut here ]------------\nkernel BUG at mm/usercopy.c:102!\n...\nRIP: 0010:usercopy_abort+0x6c/0x80\n...\nCall Trace:\n<TASK>\n__check_heap_object+0xe3/0x120\n__check_object_size+0x4dc/0x6d0\nsmbd_recv+0x77f/0xfe0 [cifs]\ncifs_readv_from_socket+0x276/0x8f0 [cifs]\ncifs_read_from_socket+0xcd/0x120 [cifs]\ncifs_demultiplex_thread+0x7e9/0x2d50 [cifs]\nkthread+0x396/0x830\nret_from_fork+0x2b8/0x3b0\nret_from_fork_asm+0x1a/0x30\nThe problem is that the smbd_response slab's packet field isn't marked as\nbeing permitted for usercopy.\nFix this by passing parameters to kmem_slab_create() to indicate that\ncopy_to_iter() is permitted from the packet region of the smbd_response\nslab objects, less the header space." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-09-29T00:00:00Z",
    "advisory" : "RHSA-2025:16904",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.37.1.el10_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38523\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38523\nhttps://lore.kernel.org/linux-cve-announce/2025081652-CVE-2025-38523-b126@gregkh/T" ],
  "name" : "CVE-2025-38523",
  "csaw" : false
}