CVE-2025-38527 (GCVE-0-2025-38527)
Vulnerability from cvelistv5
Published
2025-08-16 11:12
Modified
2025-08-16 11:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix use-after-free in cifs_oplock_break
A race condition can occur in cifs_oplock_break() leading to a
use-after-free of the cinode structure when unmounting:
cifs_oplock_break()
_cifsFileInfo_put(cfile)
cifsFileInfo_put_final()
cifs_sb_deactive()
[last ref, start releasing sb]
kill_sb()
kill_anon_super()
generic_shutdown_super()
evict_inodes()
dispose_list()
evict()
destroy_inode()
call_rcu(&inode->i_rcu, i_callback)
spin_lock(&cinode->open_file_lock) <- OK
[later] i_callback()
cifs_free_inode()
kmem_cache_free(cinode)
spin_unlock(&cinode->open_file_lock) <- UAF
cifs_done_oplock_break(cinode) <- UAF
The issue occurs when umount has already released its reference to the
superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this
releases the last reference, triggering the immediate cleanup of all
inodes under RCU. However, cifs_oplock_break() continues to access the
cinode after this point, resulting in use-after-free.
Fix this by holding an extra reference to the superblock during the
entire oplock break operation. This ensures that the superblock and
its inodes remain valid until the oplock break completes.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ► | Linux | Linux |
Version: b98749cac4a695f084a5ff076f4510b23e353ecd Version: b98749cac4a695f084a5ff076f4510b23e353ecd Version: b98749cac4a695f084a5ff076f4510b23e353ecd Version: b98749cac4a695f084a5ff076f4510b23e353ecd Version: b98749cac4a695f084a5ff076f4510b23e353ecd Version: 2429fcf06d3cb962693868ab0a927c9038f12a2d Version: 1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12 Version: 53fc31a4853e30d6e8f142b824f724da27ff3e40 Version: 8092ecc306d81186a64cda42411121f4d35aaff4 Version: ebac4d0adf68f8962bd82fcf483936edd6ec095b |
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "2baaf5bbab2ac474c4f92c10fcb3310f824db995",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "09bce2138a30ef10d8821c8c3f73a4ab7a5726bc",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "da11bd4b697b393a207f19a2ed7d382a811a3ddc",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "705c79101ccf9edea5a00d761491a03ced314210",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"status": "affected",
"version": "2429fcf06d3cb962693868ab0a927c9038f12a2d",
"versionType": "git"
},
{
"status": "affected",
"version": "1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12",
"versionType": "git"
},
{
"status": "affected",
"version": "53fc31a4853e30d6e8f142b824f724da27ff3e40",
"versionType": "git"
},
{
"status": "affected",
"version": "8092ecc306d81186a64cda42411121f4d35aaff4",
"versionType": "git"
},
{
"status": "affected",
"version": "ebac4d0adf68f8962bd82fcf483936edd6ec095b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n cifs_oplock_break()\n _cifsFileInfo_put(cfile)\n cifsFileInfo_put_final()\n cifs_sb_deactive()\n [last ref, start releasing sb]\n kill_sb()\n kill_anon_super()\n generic_shutdown_super()\n evict_inodes()\n dispose_list()\n evict()\n destroy_inode()\n call_rcu(\u0026inode-\u003ei_rcu, i_callback)\n spin_lock(\u0026cinode-\u003eopen_file_lock) \u003c- OK\n [later] i_callback()\n cifs_free_inode()\n kmem_cache_free(cinode)\n spin_unlock(\u0026cinode-\u003eopen_file_lock) \u003c- UAF\n cifs_done_oplock_break(cinode) \u003c- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T11:12:20.843Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b"
},
{
"url": "https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995"
},
{
"url": "https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc"
},
{
"url": "https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc"
},
{
"url": "https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210"
}
],
"title": "smb: client: fix use-after-free in cifs_oplock_break",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38527",
"datePublished": "2025-08-16T11:12:20.843Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2025-08-16T11:12:20.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38527\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-16T12:15:28.183\",\"lastModified\":\"2025-08-16T12:15:28.183\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix use-after-free in cifs_oplock_break\\n\\nA race condition can occur in cifs_oplock_break() leading to a\\nuse-after-free of the cinode structure when unmounting:\\n\\n cifs_oplock_break()\\n _cifsFileInfo_put(cfile)\\n cifsFileInfo_put_final()\\n cifs_sb_deactive()\\n [last ref, start releasing sb]\\n kill_sb()\\n kill_anon_super()\\n generic_shutdown_super()\\n evict_inodes()\\n dispose_list()\\n evict()\\n destroy_inode()\\n call_rcu(\u0026inode-\u003ei_rcu, i_callback)\\n spin_lock(\u0026cinode-\u003eopen_file_lock) \u003c- OK\\n [later] i_callback()\\n cifs_free_inode()\\n kmem_cache_free(cinode)\\n spin_unlock(\u0026cinode-\u003eopen_file_lock) \u003c- UAF\\n cifs_done_oplock_break(cinode) \u003c- UAF\\n\\nThe issue occurs when umount has already released its reference to the\\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\\nreleases the last reference, triggering the immediate cleanup of all\\ninodes under RCU. However, cifs_oplock_break() continues to access the\\ncinode after this point, resulting in use-after-free.\\n\\nFix this by holding an extra reference to the superblock during the\\nentire oplock break operation. This ensures that the superblock and\\nits inodes remain valid until the oplock break completes.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…