{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2025-38527", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.023Z", "datePublished": "2025-08-16T11:12:20.843Z", "dateUpdated": "2026-05-23T15:59:58.193Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-23T15:59:58.193Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n cifs_oplock_break()\n _cifsFileInfo_put(cfile)\n cifsFileInfo_put_final()\n cifs_sb_deactive()\n [last ref, start releasing sb]\n kill_sb()\n kill_anon_super()\n generic_shutdown_super()\n evict_inodes()\n dispose_list()\n evict()\n destroy_inode()\n call_rcu(&inode->i_rcu, i_callback)\n spin_lock(&cinode->open_file_lock) <- OK\n [later] i_callback()\n cifs_free_inode()\n kmem_cache_free(cinode)\n spin_unlock(&cinode->open_file_lock) <- UAF\n cifs_done_oplock_break(cinode) <- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "fs/smb/client/file.c" ], "versions": [ { "version": "b98749cac4a695f084a5ff076f4510b23e353ecd", "lessThan": "4256a483fe58af66a46cbf3dc48ff26e580d3308", "status": "affected", "versionType": "git" }, { "version": "b98749cac4a695f084a5ff076f4510b23e353ecd", "lessThan": "0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b", "status": "affected", "versionType": "git" }, { "version": "b98749cac4a695f084a5ff076f4510b23e353ecd", "lessThan": "2baaf5bbab2ac474c4f92c10fcb3310f824db995", "status": "affected", "versionType": "git" }, { "version": "b98749cac4a695f084a5ff076f4510b23e353ecd", "lessThan": "09bce2138a30ef10d8821c8c3f73a4ab7a5726bc", "status": "affected", "versionType": "git" }, { "version": "b98749cac4a695f084a5ff076f4510b23e353ecd", "lessThan": "da11bd4b697b393a207f19a2ed7d382a811a3ddc", "status": "affected", "versionType": "git" }, { "version": "b98749cac4a695f084a5ff076f4510b23e353ecd", "lessThan": "705c79101ccf9edea5a00d761491a03ced314210", "status": "affected", "versionType": "git" }, { "version": "2429fcf06d3cb962693868ab0a927c9038f12a2d", "status": "affected", "versionType": "git" }, { "version": "1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12", "status": "affected", "versionType": "git" }, { "version": "53fc31a4853e30d6e8f142b824f724da27ff3e40", "status": "affected", "versionType": "git" }, { "version": "8092ecc306d81186a64cda42411121f4d35aaff4", "status": "affected", "versionType": "git" }, { "version": "ebac4d0adf68f8962bd82fcf483936edd6ec095b", "status": "affected", "versionType": "git" }, { "version": "3.16.72", "lessThan": "3.17", "status": "affected", "versionType": "semver" }, { "version": "4.9.171", "lessThan": "4.10", "status": "affected", "versionType": "semver" }, { "version": "4.14.114", "lessThan": "4.15", "status": "affected", "versionType": "semver" }, { "version": "4.19.37", "lessThan": "4.20", "status": "affected", "versionType": "semver" }, { "version": "5.0.10", "lessThan": "5.1", "status": "affected", "versionType": "semver" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "fs/smb/client/file.c" ], "versions": [ { "version": "5.1", "status": "affected" }, { "version": "0", "lessThan": "5.1", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.190", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.147", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.6.100", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.12.40", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.15.8", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "5.15.190" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.1.147" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.6.100" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.12.40" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.15.8" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "6.16" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16.72" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.171" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.114" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.37" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.10" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308" }, { "url": "https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b" }, { "url": "https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995" }, { "url": "https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc" }, { "url": "https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc" }, { "url": "https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210" } ], "title": "smb: client: fix use-after-free in cifs_oplock_break", "x_generator": { "engine": "bippy-1.2.0" } }, "adp": [ { "title": "CVE Program Container", "references": [ { "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html" } ], "providerMetadata": { "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T17:39:23.898Z" } } ] } }