{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38488","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.021Z","datePublished":"2025-07-28T11:21:52.085Z","dateUpdated":"2026-05-11T21:28:58.976Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:28:58.976Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in crypt_message when using async crypto\n\nThe CVE-2024-50047 fix removed asynchronous crypto handling from\ncrypt_message(), assuming all crypto operations are synchronous.\nHowever, when hardware crypto accelerators are used, this can cause\nuse-after-free crashes:\n\n  crypt_message()\n    // Allocate the creq buffer containing the req\n    creq = smb2_get_aead_req(..., &req);\n\n    // Async encryption returns -EINPROGRESS immediately\n    rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);\n\n    // Free creq while async operation is still in progress\n    kvfree_sensitive(creq, ...);\n\nHardware crypto modules often implement async AEAD operations for\nperformance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,\nthe operation completes asynchronously. Without crypto_wait_req(),\nthe function immediately frees the request buffer, leading to crashes\nwhen the driver later accesses the freed memory.\n\nThis results in a use-after-free condition when the hardware crypto\ndriver later accesses the freed request structure, leading to kernel\ncrashes with NULL pointer dereferences.\n\nThe issue occurs because crypto_alloc_aead() with mask=0 doesn't\nguarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in\nthe mask, async implementations can be selected.\n\nFix by restoring the async crypto handling:\n- DECLARE_CRYPTO_WAIT(wait) for completion tracking\n- aead_request_set_callback() for async completion notification\n- crypto_wait_req() to wait for operation completion\n\nThis ensures the request buffer isn't freed until the crypto operation\ncompletes, whether synchronous or asynchronous, while preserving the\nCVE-2024-50047 fix."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/smb2ops.c"],"versions":[{"version":"8f14a476abba13144df5434871a7225fd29af633","lessThan":"5d047b12f86cc3b9fde1171c02d9bccf4dba0632","status":"affected","versionType":"git"},{"version":"ef51c0d544b1518b35364480317ab6d3468f205d","lessThan":"6550b2bef095d0dd2d2c8390d2ea4c3837028833","status":"affected","versionType":"git"},{"version":"bce966530fd5542bbb422cb45ecb775f7a1a6bc3","lessThan":"9a1d3e8d40f151c2d5a5f40c410e6e433f62f438","status":"affected","versionType":"git"},{"version":"0809fb86ad13b29e1d6d491364fc7ea4fb545995","lessThan":"15a0a5de49507062bc3be4014a403d8cea5533de","status":"affected","versionType":"git"},{"version":"b0abcd65ec545701b8793e12bc27dc98042b151a","lessThan":"2a76bc2b24ed889a689fb1c9015307bf16aafb5b","status":"affected","versionType":"git"},{"version":"b0abcd65ec545701b8793e12bc27dc98042b151a","lessThan":"8ac90f6824fc44d2e55a82503ddfc95defb19ae0","status":"affected","versionType":"git"},{"version":"b0abcd65ec545701b8793e12bc27dc98042b151a","lessThan":"b220bed63330c0e1733dc06ea8e75d5b9962b6b6","status":"affected","versionType":"git"},{"version":"538c26d9bf70c90edc460d18c81008a4e555925a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/smb2ops.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"5.10.241","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.147","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.100","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.40","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.8","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.237","versionEndExcluding":"5.10.241"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.181","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.128","versionEndExcluding":"6.1.147"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.57","versionEndExcluding":"6.6.100"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.40"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.15.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5d047b12f86cc3b9fde1171c02d9bccf4dba0632"},{"url":"https://git.kernel.org/stable/c/6550b2bef095d0dd2d2c8390d2ea4c3837028833"},{"url":"https://git.kernel.org/stable/c/9a1d3e8d40f151c2d5a5f40c410e6e433f62f438"},{"url":"https://git.kernel.org/stable/c/15a0a5de49507062bc3be4014a403d8cea5533de"},{"url":"https://git.kernel.org/stable/c/2a76bc2b24ed889a689fb1c9015307bf16aafb5b"},{"url":"https://git.kernel.org/stable/c/8ac90f6824fc44d2e55a82503ddfc95defb19ae0"},{"url":"https://git.kernel.org/stable/c/b220bed63330c0e1733dc06ea8e75d5b9962b6b6"}],"title":"smb: client: fix use-after-free in crypt_message when using async crypto","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:38:58.858Z"}}]}}