NVD

CVE-2025-38051 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 7.0 HIGH

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338	kernel.org	Patch
https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b	kernel.org	Patch
https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9	kernel.org	Patch
https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f	kernel.org	Patch
https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e	kernel.org	Patch
https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0	kernel.org	Patch
https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f	kernel.org	Patch
https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f	kernel.org	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html	CVE	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	CVE	Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Reanalysis by NIST 1/12/2026 8:11:24 AM

Action

Type

Old Value

New Value

Added

CPE Configuration

OR
          *cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.238
          *cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc7:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.14.9
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.31
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.185
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.141
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.93
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.27.4 up to (excluding) 5.4.294

Removed

CPE Configuration

OR
          *cpe:2.3:o:linux:linux_kernel:2.6.27:-:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.238
          *cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.15:rc7:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.14.9
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.31
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.185
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.141
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.93
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 2.6.28 up to (excluding) 5.4.294

Initial Analysis by NIST 12/17/2025 1:26:11 PM

Action	Type	New Value
Added	CVSS V3.1	AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE	CWE-416
Added	CPE Configuration	OR cpe:2.3:o:debian:debian_linux:11.0:::::::
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel:2.6.27:-::::::* cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::* cpe:2.3:o:linux:linux_kernel:6.15:rc2::::::* cpe:2.3:o:linux:linux_kernel:6.15:rc3::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.5 up to (excluding) 5.10.238 cpe:2.3:o:linux:linux_kernel:6.15:rc4::::::* cpe:2.3:o:linux:linux_kernel:6.15:rc5::::::* cpe:2.3:o:linux:linux_kernel:6.15:rc6::::::* cpe:2.3:o:linux:linux_kernel:6.15:rc7::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.13 up to (excluding) 6.14.9 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7 up to (excluding) 6.12.31 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.11 up to (excluding) 5.15.185 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.16 up to (excluding) 6.1.141 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.2 up to (excluding) 6.6.93 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 2.6.28 up to (excluding) 5.4.294
Added	Reference Type	CVE: https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Types: Third Party Advisory
Added	Reference Type	CVE: https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Types: Third Party Advisory
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f Types: Patch

New CVE Received from kernel.org 6/18/2025 6:15:37 AM

Action	Type	New Value
Added	Description	Record truncated, showing 2048 of 3998 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30
Added	Reference	https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338
Added	Reference	https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b
Added	Reference	https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9
Added	Reference	https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f
Added	Reference	https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e
Added	Reference	https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0
Added	Reference	https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f
Added	Reference	https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f

Quick Info

CVE Dictionary Entry:
CVE-2025-38051
NVD Published Date:
06/18/2025
NVD Last Modified:
01/12/2026
Source:
kernel.org

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2025-38051 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

Reanalysis by NIST 1/12/2026 8:11:24 AM

Initial Analysis by NIST 12/17/2025 1:26:11 PM

CVE Modified by CVE 11/03/2025 1:15:59 PM

New CVE Received from kernel.org 6/18/2025 6:15:37 AM

Quick Info