{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40090","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.162Z","datePublished":"2025-10-30T09:47:58.611Z","dateUpdated":"2026-05-11T21:42:19.205Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:42:19.205Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix recursive locking in RPC handle list access\n\nSince commit 305853cce3794 (\"ksmbd: Fix race condition in RPC handle list\naccess\"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock.\n\nThis causes hung connections / tasks when a client attempts to open\na named pipe. Using Samba's rpcclient tool:\n\n $ rpcclient //192.168.1.254 -U user%password\n $ rpcclient $> srvinfo\n <connection hung here>\n\nKernel side:\n  \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n  task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000\n  Workqueue: ksmbd-io handle_ksmbd_work\n  Call trace:\n  __schedule from schedule+0x3c/0x58\n  schedule from schedule_preempt_disabled+0xc/0x10\n  schedule_preempt_disabled from rwsem_down_read_slowpath+0x1b0/0x1d8\n  rwsem_down_read_slowpath from down_read+0x28/0x30\n  down_read from ksmbd_session_rpc_method+0x18/0x3c\n  ksmbd_session_rpc_method from ksmbd_rpc_open+0x34/0x68\n  ksmbd_rpc_open from ksmbd_session_rpc_open+0x194/0x228\n  ksmbd_session_rpc_open from create_smb2_pipe+0x8c/0x2c8\n  create_smb2_pipe from smb2_open+0x10c/0x27ac\n  smb2_open from handle_ksmbd_work+0x238/0x3dc\n  handle_ksmbd_work from process_scheduled_works+0x160/0x25c\n  process_scheduled_works from worker_thread+0x16c/0x1e8\n  worker_thread from kthread+0xa8/0xb8\n  kthread from ret_from_fork+0x14/0x38\n  Exception stack(0x8529ffb0 to 0x8529fff8)\n\nThe task deadlocks because the lock is already held:\n  ksmbd_session_rpc_open\n    down_write(&sess->rpc_lock)\n    ksmbd_rpc_open\n      ksmbd_session_rpc_method\n        down_read(&sess->rpc_lock)   <-- deadlock\n\nAdjust ksmbd_session_rpc_method() callers to take the lock when necessary."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/mgmt/user_session.c","fs/smb/server/smb2pdu.c","fs/smb/server/transport_ipc.c"],"versions":[{"version":"69674b029002b1d90b655f014bdf64f404efa54d","lessThan":"5493571f4351f74e11db9943e98a07c56467cf7e","status":"affected","versionType":"git"},{"version":"6b615a8fb3af0baf8126cde3d4fee97d57222ffc","lessThan":"1891abe832cbf5a11039e088766131d0f1642d02","status":"affected","versionType":"git"},{"version":"5cc679ba0f4505936124cd4179ba66bb0a4bd9f3","lessThan":"4602b8cee1481dbb896182e5cb1e8cf12910e9e7","status":"affected","versionType":"git"},{"version":"6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1","lessThan":"3412fbd81b46b9cfae013817b61d4bbd27e09e36","status":"affected","versionType":"git"},{"version":"305853cce379407090a73b38c5de5ba748893aee","lessThan":"88f170814fea74911ceab798a43cbd7c5599bed4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/mgmt/user_session.c","fs/smb/server/smb2pdu.c","fs/smb/server/transport_ipc.c"],"versions":[{"version":"6.12.53","lessThan":"6.12.55","status":"affected","versionType":"semver"},{"version":"6.17.3","lessThan":"6.17.5","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.53","versionEndExcluding":"6.12.55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17.3","versionEndExcluding":"6.17.5"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5493571f4351f74e11db9943e98a07c56467cf7e"},{"url":"https://git.kernel.org/stable/c/1891abe832cbf5a11039e088766131d0f1642d02"},{"url":"https://git.kernel.org/stable/c/4602b8cee1481dbb896182e5cb1e8cf12910e9e7"},{"url":"https://git.kernel.org/stable/c/3412fbd81b46b9cfae013817b61d4bbd27e09e36"},{"url":"https://git.kernel.org/stable/c/88f170814fea74911ceab798a43cbd7c5599bed4"}],"title":"ksmbd: fix recursive locking in RPC handle list access","x_generator":{"engine":"bippy-1.2.0"}}}}