{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40099","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.164Z","datePublished":"2025-10-30T09:48:05.859Z","dateUpdated":"2026-05-11T21:42:29.773Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:42:29.773Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: parse_dfs_referrals: prevent oob on malformed input\n\nMalicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS\n\n- reply smaller than sizeof(struct get_dfs_referral_rsp)\n- reply with number of referrals smaller than NumberOfReferrals in the\nheader\n\nProcessing of such replies will cause oob.\n\nReturn -EINVAL error on such replies to prevent oob-s."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/misc.c"],"versions":[{"version":"4ecce920e13ace16a5ba45efe8909946c28fb2ad","lessThan":"cfacc7441f760e4a73cc71b6ff1635261d534657","status":"affected","versionType":"git"},{"version":"4ecce920e13ace16a5ba45efe8909946c28fb2ad","lessThan":"15c73964da9df994302f579ed14ee5fdbce7a332","status":"affected","versionType":"git"},{"version":"4ecce920e13ace16a5ba45efe8909946c28fb2ad","lessThan":"8bc4a8d39bac23d8b044fd3e2dbfd965f1d9b058","status":"affected","versionType":"git"},{"version":"4ecce920e13ace16a5ba45efe8909946c28fb2ad","lessThan":"bb0f2e66e1ac043a5b238f5bcab4f26f3c317039","status":"affected","versionType":"git"},{"version":"4ecce920e13ace16a5ba45efe8909946c28fb2ad","lessThan":"6447b0e355562a1ff748c4a2ffb89aae7e84d2c9","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/client/misc.c"],"versions":[{"version":"4.11","status":"affected"},{"version":"0","lessThan":"4.11","status":"unaffected","versionType":"semver"},{"version":"6.1.158","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.114","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.55","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.5","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.1.158"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.6.114"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.12.55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.17.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/cfacc7441f760e4a73cc71b6ff1635261d534657"},{"url":"https://git.kernel.org/stable/c/15c73964da9df994302f579ed14ee5fdbce7a332"},{"url":"https://git.kernel.org/stable/c/8bc4a8d39bac23d8b044fd3e2dbfd965f1d9b058"},{"url":"https://git.kernel.org/stable/c/bb0f2e66e1ac043a5b238f5bcab4f26f3c317039"},{"url":"https://git.kernel.org/stable/c/6447b0e355562a1ff748c4a2ffb89aae7e84d2c9"}],"title":"cifs: parse_dfs_referrals: prevent oob on malformed input","x_generator":{"engine":"bippy-1.2.0"}}}}