2373329 – (CVE-2025-38051) CVE-2025-38051 kernel: smb: client: Fix use-after-free in cifs_fill_dirent

Bug 2373329 (CVE-2025-38051) - CVE-2025-38051 kernel: smb: client: Fix use-after-free in cifs_fill_dirent

Summary: CVE-2025-38051 kernel: smb: client: Fix use-after-free in cifs_fill_dirent

Keywords:
Status:	NEW
Alias:	CVE-2025-38051
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-18 10:01 UTC by OSIDB Bzimport
Modified:	2026-02-16 17:47 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:0533	None	None	None	2026-01-14 00:13:36 UTC
Red Hat Product Errata	RHSA-2026:0536	None	None	None	2026-01-14 00:19:20 UTC
Red Hat Product Errata	RHSA-2026:0643	None	None	None	2026-01-15 01:07:57 UTC
Red Hat Product Errata	RHSA-2026:0759	None	None	None	2026-01-19 03:48:25 UTC
Red Hat Product Errata	RHSA-2026:0760	None	None	None	2026-01-19 03:08:44 UTC
Red Hat Product Errata	RHSA-2026:1445	None	None	None	2026-01-28 00:27:27 UTC
Red Hat Product Errata	RHSA-2026:1494	None	None	None	2026-01-28 15:08:05 UTC
Red Hat Product Errata	RHSA-2026:1495	None	None	None	2026-01-28 15:04:22 UTC
Red Hat Product Errata	RHSA-2026:1879	None	None	None	2026-02-04 15:44:40 UTC
Red Hat Product Errata	RHSA-2026:2352	None	None	None	2026-02-09 17:46:39 UTC
Red Hat Product Errata	RHSA-2026:2560	None	None	None	2026-02-11 14:33:53 UTC
Red Hat Product Errata	RHSA-2026:2583	None	None	None	2026-02-11 17:45:15 UTC
Red Hat Product Errata	RHSA-2026:2761	None	None	None	2026-02-16 17:47:04 UTC

Description OSIDB Bzimport 2025-06-18 10:01:53 UTC

In the Linux kernel, the following vulnerability has been resolved:

smb: client: Fix use-after-free in cifs_fill_dirent

There is a race condition in the readdir concurrency process, which may
access the rsp buffer after it has been released, triggering the
following KASAN warning.

 ==================================================================
 BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
 Read of size 4 at addr ffff8880099b819c by task a.out/342975

 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x53/0x70
  print_report+0xce/0x640
  kasan_report+0xb8/0xf0
  cifs_fill_dirent+0xb03/0xb60 [cifs]
  cifs_readdir+0x12cb/0x3190 [cifs]
  iterate_dir+0x1a1/0x520
  __x64_sys_getdents+0x134/0x220
  do_syscall_64+0x4b/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
 RIP: 0033:0x7f996f64b9f9
 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
 f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8
 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
 RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
  </TASK>

 Allocated by task 408:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x14/0x30
  __kasan_slab_alloc+0x6e/0x70
  kmem_cache_alloc_noprof+0x117/0x3d0
  mempool_alloc_noprof+0xf2/0x2c0
  cifs_buf_get+0x36/0x80 [cifs]
  allocate_buffers+0x1d2/0x330 [cifs]
  cifs_demultiplex_thread+0x22b/0x2690 [cifs]
  kthread+0x394/0x720
  ret_from_fork+0x34/0x70
  ret_from_fork_asm+0x1a/0x30

 Freed by task 342979:
  kasan_save_stack+0x20/0x40
  kasan_save_track+0x14/0x30
  kasan_save_free_info+0x3b/0x60
  __kasan_slab_free+0x37/0x50
  kmem_cache_free+0x2b8/0x500
  cifs_buf_release+0x3c/0x70 [cifs]
  cifs_readdir+0x1c97/0x3190 [cifs]
  iterate_dir+0x1a1/0x520
  __x64_sys_getdents64+0x134/0x220
  do_syscall_64+0x4b/0x110
  entry_SYSCALL_64_after_hwframe+0x76/0x7e

 The buggy address belongs to the object at ffff8880099b8000
  which belongs to the cache cifs_request of size 16588
 The buggy address is located 412 bytes inside of
  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)

 The buggy address belongs to the physical page:
 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 anon flags: 0x80000000000040(head|node=0|zone=1)
 page_type: f5(slab)
 raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
 head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

POC is available in the link [1].

The problem triggering process is as follows:

Process 1                       Process 2
-----------------------------------
---truncated---

Comment 1 Avinash Hanwate 2025-06-21 04:24:48 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061831-CVE-2025-38051-77da@gregkh/T

Comment 3 errata-xmlrpc 2026-01-14 00:13:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:0533 https://access.redhat.com/errata/RHSA-2026:0533

Comment 4 errata-xmlrpc 2026-01-14 00:19:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:0536 https://access.redhat.com/errata/RHSA-2026:0536

Comment 5 errata-xmlrpc 2026-01-15 01:07:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:0643 https://access.redhat.com/errata/RHSA-2026:0643

Comment 6 errata-xmlrpc 2026-01-19 03:08:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0760 https://access.redhat.com/errata/RHSA-2026:0760

Comment 7 errata-xmlrpc 2026-01-19 03:48:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0759 https://access.redhat.com/errata/RHSA-2026:0759

Comment 8 errata-xmlrpc 2026-01-28 00:27:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:1445 https://access.redhat.com/errata/RHSA-2026:1445

Comment 9 errata-xmlrpc 2026-01-28 15:04:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:1495 https://access.redhat.com/errata/RHSA-2026:1495

Comment 10 errata-xmlrpc 2026-01-28 15:08:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:1494 https://access.redhat.com/errata/RHSA-2026:1494

Comment 11 errata-xmlrpc 2026-02-04 15:44:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1879 https://access.redhat.com/errata/RHSA-2026:1879

Comment 12 errata-xmlrpc 2026-02-09 17:46:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2352 https://access.redhat.com/errata/RHSA-2026:2352

Comment 13 errata-xmlrpc 2026-02-11 14:33:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2560 https://access.redhat.com/errata/RHSA-2026:2560

Comment 14 errata-xmlrpc 2026-02-11 17:45:13 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2583 https://access.redhat.com/errata/RHSA-2026:2583

Comment 15 errata-xmlrpc 2026-02-16 17:47:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:2761 https://access.redhat.com/errata/RHSA-2026:2761

Note You need to log in before you can comment on or make changes to this bug.