CVE-2025-38051 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338
https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b
https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9
https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f
https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e
https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0
https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f
https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f
https://lore.kernel.org/linux-cve-announce/2025061831-CVE-2025-38051-77da@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-38051
https://www.cve.org/CVERecord?id=CVE-2025-38051

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025061831-CVE-2025-38051-77da@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-38051 https://www.cve.org/CVERecord?id=CVE-2025-38051
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head\|node=0\|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---
Title		smb: client: Fix use-after-free in cifs_fill_dirent
References		https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338 https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9 https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0 https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38051", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.979Z", "datePublished": "2025-06-18T09:33:32.805Z", "dateUpdated": "2025-06-18T09:33:32.805Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-06-18T09:33:32.805Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x640\n kasan_report+0xb8/0xf0\n cifs_fill_dirent+0xb03/0xb60 [cifs]\n cifs_readdir+0x12cb/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\n f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n </TASK>\n\n Allocated by task 408:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_noprof+0x117/0x3d0\n mempool_alloc_noprof+0xf2/0x2c0\n cifs_buf_get+0x36/0x80 [cifs]\n allocate_buffers+0x1d2/0x330 [cifs]\n cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n kthread+0x394/0x720\n ret_from_fork+0x34/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0x2b8/0x500\n cifs_buf_release+0x3c/0x70 [cifs]\n cifs_readdir+0x1c97/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents64+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1 Process 2\n-----------------------------------\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/readdir.c"], "versions": [{"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43", "lessThan": "aee067e88d61eb72e966f094e4749c6b14e7008f", "status": "affected", "versionType": "git"}, {"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43", "lessThan": "a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e", "status": "affected", "versionType": "git"}, {"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43", "lessThan": "1b197931fbc821bc7e9e91bf619400db563e3338", "status": "affected", "versionType": "git"}, {"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43", "lessThan": "c8623231e0edfcccb7cc6add0288fa0f0594282f", "status": "affected", "versionType": "git"}, {"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43", "lessThan": "73cadde98f67f76c5eba00ac0b72c453383cec8b", "status": "affected", "versionType": "git"}, {"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43", "lessThan": "9bea368648ac46f8593a780760362e40291d22a9", "status": "affected", "versionType": "git"}, {"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43", "lessThan": "9c9aafbacc183598f064902365e107b5e856531f", "status": "affected", "versionType": "git"}, {"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43", "lessThan": "a7a8fe56e932a36f43e031b398aef92341bf5ea0", "status": "affected", "versionType": "git"}, {"version": "0f3da51e7046e2eb28992ba65c22d058f571356c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/readdir.c"], "versions": [{"version": "2.6.28", "status": "affected"}, {"version": "0", "lessThan": "2.6.28", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.294", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.238", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.185", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.141", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.93", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.31", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.9", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "5.4.294"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "5.10.238"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "5.15.185"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.1.141"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.6.93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.12.31"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.14.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.27.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f"}, {"url": "https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e"}, {"url": "https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338"}, {"url": "https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f"}, {"url": "https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b"}, {"url": "https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9"}, {"url": "https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f"}, {"url": "https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0"}], "title": "smb: client: Fix use-after-free in cifs_fill_dirent", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x640\n kasan_report+0xb8/0xf0\n cifs_fill_dirent+0xb03/0xb60 [cifs]\n cifs_readdir+0x12cb/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\n f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n </TASK>\n\n Allocated by task 408:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_noprof+0x117/0x3d0\n mempool_alloc_noprof+0xf2/0x2c0\n cifs_buf_get+0x36/0x80 [cifs]\n allocate_buffers+0x1d2/0x330 [cifs]\n cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n kthread+0x394/0x720\n ret_from_fork+0x34/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0x2b8/0x500\n cifs_buf_release+0x3c/0x70 [cifs]\n cifs_readdir+0x1c97/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents64+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1 Process 2\n-----------------------------------\n---truncated---"}], "id": "CVE-2025-38051", "lastModified": "2025-06-18T13:46:52.973", "metrics": {}, "published": "2025-06-18T10:15:37.693", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: smb: client: Fix use-after-free in cifs_fill_dirent", "id": "2373329", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373329"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: Fix use-after-free in cifs_fill_dirent\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n==================================================================\nBUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\nRead of size 4 at addr ffff8880099b819c by task a.out/342975\nCPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x53/0x70\nprint_report+0xce/0x640\nkasan_report+0xb8/0xf0\ncifs_fill_dirent+0xb03/0xb60 [cifs]\ncifs_readdir+0x12cb/0x3190 [cifs]\niterate_dir+0x1a1/0x520\n__x64_sys_getdents+0x134/0x220\ndo_syscall_64+0x4b/0x110\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f996f64b9f9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\nf0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8\nRSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\nRAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\nR13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n</TASK>\nAllocated by task 408:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x14/0x30\n__kasan_slab_alloc+0x6e/0x70\nkmem_cache_alloc_noprof+0x117/0x3d0\nmempool_alloc_noprof+0xf2/0x2c0\ncifs_buf_get+0x36/0x80 [cifs]\nallocate_buffers+0x1d2/0x330 [cifs]\ncifs_demultiplex_thread+0x22b/0x2690 [cifs]\nkthread+0x394/0x720\nret_from_fork+0x34/0x70\nret_from_fork_asm+0x1a/0x30\nFreed by task 342979:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x14/0x30\nkasan_save_free_info+0x3b/0x60\n__kasan_slab_free+0x37/0x50\nkmem_cache_free+0x2b8/0x500\ncifs_buf_release+0x3c/0x70 [cifs]\ncifs_readdir+0x1c97/0x3190 [cifs]\niterate_dir+0x1a1/0x520\n__x64_sys_getdents64+0x134/0x220\ndo_syscall_64+0x4b/0x110\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nThe buggy address belongs to the object at ffff8880099b8000\nwhich belongs to the cache cifs_request of size 16588\nThe buggy address is located 412 bytes inside of\nfreed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\nhead: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nanon flags: 0x80000000000040(head|node=0|zone=1)\npage_type: f5(slab)\nraw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\nhead: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\nhead: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\nhead: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n^\nffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nPOC is available in the link [1].\nThe problem triggering process is as follows:\nProcess 1 Process 2\n-----------------------------------\n---truncated---"], "name": "CVE-2025-38051", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38051\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38051\nhttps://lore.kernel.org/linux-cve-announce/2025061831-CVE-2025-38051-77da@gregkh/T"], "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object