{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38527","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.023Z","datePublished":"2025-08-16T11:12:20.843Z","dateUpdated":"2026-05-11T21:29:44.825Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:29:44.825Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n  cifs_oplock_break()\n    _cifsFileInfo_put(cfile)\n      cifsFileInfo_put_final()\n        cifs_sb_deactive()\n          [last ref, start releasing sb]\n            kill_sb()\n              kill_anon_super()\n                generic_shutdown_super()\n                  evict_inodes()\n                    dispose_list()\n                      evict()\n                        destroy_inode()\n                          call_rcu(&inode->i_rcu, i_callback)\n    spin_lock(&cinode->open_file_lock)  <- OK\n                            [later] i_callback()\n                              cifs_free_inode()\n                                kmem_cache_free(cinode)\n    spin_unlock(&cinode->open_file_lock)  <- UAF\n    cifs_done_oplock_break(cinode)       <- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/file.c"],"versions":[{"version":"b98749cac4a695f084a5ff076f4510b23e353ecd","lessThan":"4256a483fe58af66a46cbf3dc48ff26e580d3308","status":"affected","versionType":"git"},{"version":"b98749cac4a695f084a5ff076f4510b23e353ecd","lessThan":"0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b","status":"affected","versionType":"git"},{"version":"b98749cac4a695f084a5ff076f4510b23e353ecd","lessThan":"2baaf5bbab2ac474c4f92c10fcb3310f824db995","status":"affected","versionType":"git"},{"version":"b98749cac4a695f084a5ff076f4510b23e353ecd","lessThan":"09bce2138a30ef10d8821c8c3f73a4ab7a5726bc","status":"affected","versionType":"git"},{"version":"b98749cac4a695f084a5ff076f4510b23e353ecd","lessThan":"da11bd4b697b393a207f19a2ed7d382a811a3ddc","status":"affected","versionType":"git"},{"version":"b98749cac4a695f084a5ff076f4510b23e353ecd","lessThan":"705c79101ccf9edea5a00d761491a03ced314210","status":"affected","versionType":"git"},{"version":"2429fcf06d3cb962693868ab0a927c9038f12a2d","status":"affected","versionType":"git"},{"version":"1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12","status":"affected","versionType":"git"},{"version":"53fc31a4853e30d6e8f142b824f724da27ff3e40","status":"affected","versionType":"git"},{"version":"8092ecc306d81186a64cda42411121f4d35aaff4","status":"affected","versionType":"git"},{"version":"ebac4d0adf68f8962bd82fcf483936edd6ec095b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/file.c"],"versions":[{"version":"5.1","status":"affected"},{"version":"0","lessThan":"5.1","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.147","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.100","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.40","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.8","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.1.147"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.6.100"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.12.40"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.15.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"6.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16.72"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.171"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.114"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.37"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308"},{"url":"https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b"},{"url":"https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995"},{"url":"https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc"},{"url":"https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc"},{"url":"https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210"}],"title":"smb: client: fix use-after-free in cifs_oplock_break","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:39:23.898Z"}}]}}