{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38051","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.979Z","datePublished":"2025-06-18T09:33:32.805Z","dateUpdated":"2026-05-11T21:20:19.296Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:20:19.296Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n  <TASK>\n  dump_stack_lvl+0x53/0x70\n  print_report+0xce/0x640\n  kasan_report+0xb8/0xf0\n  cifs_fill_dirent+0xb03/0xb60 [cifs]\n  cifs_readdir+0x12cb/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01\n f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n  </TASK>\n\n Allocated by task 408:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  __kasan_slab_alloc+0x6e/0x70\n  kmem_cache_alloc_noprof+0x117/0x3d0\n  mempool_alloc_noprof+0xf2/0x2c0\n  cifs_buf_get+0x36/0x80 [cifs]\n  allocate_buffers+0x1d2/0x330 [cifs]\n  cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n  kthread+0x394/0x720\n  ret_from_fork+0x34/0x70\n  ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  kasan_save_free_info+0x3b/0x60\n  __kasan_slab_free+0x37/0x50\n  kmem_cache_free+0x2b8/0x500\n  cifs_buf_release+0x3c/0x70 [cifs]\n  cifs_readdir+0x1c97/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents64+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n  which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                             ^\n  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1                       Process 2\n-----------------------------------\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/readdir.c"],"versions":[{"version":"a364bc0b37f14ffd66c1f982af42990a9d77fa43","lessThan":"aee067e88d61eb72e966f094e4749c6b14e7008f","status":"affected","versionType":"git"},{"version":"a364bc0b37f14ffd66c1f982af42990a9d77fa43","lessThan":"a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e","status":"affected","versionType":"git"},{"version":"a364bc0b37f14ffd66c1f982af42990a9d77fa43","lessThan":"1b197931fbc821bc7e9e91bf619400db563e3338","status":"affected","versionType":"git"},{"version":"a364bc0b37f14ffd66c1f982af42990a9d77fa43","lessThan":"c8623231e0edfcccb7cc6add0288fa0f0594282f","status":"affected","versionType":"git"},{"version":"a364bc0b37f14ffd66c1f982af42990a9d77fa43","lessThan":"73cadde98f67f76c5eba00ac0b72c453383cec8b","status":"affected","versionType":"git"},{"version":"a364bc0b37f14ffd66c1f982af42990a9d77fa43","lessThan":"9bea368648ac46f8593a780760362e40291d22a9","status":"affected","versionType":"git"},{"version":"a364bc0b37f14ffd66c1f982af42990a9d77fa43","lessThan":"9c9aafbacc183598f064902365e107b5e856531f","status":"affected","versionType":"git"},{"version":"a364bc0b37f14ffd66c1f982af42990a9d77fa43","lessThan":"a7a8fe56e932a36f43e031b398aef92341bf5ea0","status":"affected","versionType":"git"},{"version":"0f3da51e7046e2eb28992ba65c22d058f571356c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/readdir.c"],"versions":[{"version":"2.6.28","status":"affected"},{"version":"0","lessThan":"2.6.28","status":"unaffected","versionType":"semver"},{"version":"5.4.294","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.238","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.185","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.141","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.93","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.31","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.9","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"5.4.294"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"5.10.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"5.15.185"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.1.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.6.93"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.12.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.14.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.28","versionEndExcluding":"6.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.27.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f"},{"url":"https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e"},{"url":"https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338"},{"url":"https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f"},{"url":"https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b"},{"url":"https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9"},{"url":"https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f"},{"url":"https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0"}],"title":"smb: client: Fix use-after-free in cifs_fill_dirent","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:33:23.156Z"}}]}}