{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-68809","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T10:30:51.047Z","datePublished":"2026-01-13T15:29:15.817Z","dateUpdated":"2026-05-11T21:53:45.694Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:53:45.694Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: vfs: fix race on m_flags in vfs_cache\n\nksmbd maintains delete-on-close and pending-delete state in\nksmbd_inode->m_flags. In vfs_cache.c this field is accessed under\ninconsistent locking: some paths read and modify m_flags under\nci->m_lock while others do so without taking the lock at all.\n\nExamples:\n\n - ksmbd_query_inode_status() and __ksmbd_inode_close() use\n   ci->m_lock when checking or updating m_flags.\n - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n   ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()\n   used to read and modify m_flags without ci->m_lock.\n\nThis creates a potential data race on m_flags when multiple threads\nopen, close and delete the same file concurrently. In the worst case\ndelete-on-close and pending-delete bits can be lost or observed in an\ninconsistent state, leading to confusing delete semantics (files that\nstay on disk after delete-on-close, or files that disappear while still\nin use).\n\nFix it by:\n\n - Making ksmbd_query_inode_status() look at m_flags under ci->m_lock\n   after dropping inode_hash_lock.\n - Adding ci->m_lock protection to all helpers that read or modify\n   m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n   ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).\n - Keeping the existing ci->m_lock protection in __ksmbd_inode_close(),\n   and moving the actual unlink/xattr removal outside the lock.\n\nThis unifies the locking around m_flags and removes the data race while\npreserving the existing delete-on-close behaviour."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/vfs_cache.c"],"versions":[{"version":"f44158485826c076335d6860d35872271a83791d","lessThan":"5adad9727a815c26013b0d41cfee92ffa7d4037c","status":"affected","versionType":"git"},{"version":"f44158485826c076335d6860d35872271a83791d","lessThan":"ccc78781041589ea383e61d5d7a1e9a31b210b93","status":"affected","versionType":"git"},{"version":"f44158485826c076335d6860d35872271a83791d","lessThan":"ee63729760f5b61a66f345c54dc4c7514e62383d","status":"affected","versionType":"git"},{"version":"f44158485826c076335d6860d35872271a83791d","lessThan":"991f8a79db99b14c48d20d2052c82d65b9186cad","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/smb/server/vfs_cache.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.64","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.3","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.12.64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.18.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c"},{"url":"https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93"},{"url":"https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d"},{"url":"https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad"}],"title":"ksmbd: vfs: fix race on m_flags in vfs_cache","x_generator":{"engine":"bippy-1.2.0"}}}}