CVE-2025-68263

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: ipc: fix use-after-free in ipc_msg_send_request<br /> <br /> ipc_msg_send_request() waits for a generic netlink reply using an<br /> ipc_msg_table_entry on the stack. The generic netlink handler<br /> (handle_generic_event()/handle_response()) fills entry-&gt;response under<br /> ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free<br /> entry-&gt;response without holding the same lock.<br /> <br /> Under high concurrency this allows a race where handle_response() is<br /> copying data into entry-&gt;response while ipc_msg_send_request() has just<br /> freed it, leading to a slab-use-after-free reported by KASAN in<br /> handle_generic_event():<br /> <br /> BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]<br /> Write of size 12 at addr ffff888198ee6e20 by task pool/109349<br /> ...<br /> Freed by task:<br /> kvfree<br /> ipc_msg_send_request [ksmbd]<br /> ksmbd_rpc_open -&gt; ksmbd_session_rpc_open [ksmbd]<br /> <br /> Fix by:<br /> - Taking ipc_msg_table_lock in ipc_msg_send_request() while validating<br /> entry-&gt;response, freeing it when invalid, and removing the entry from<br /> ipc_msg_table.<br /> - Returning the final entry-&gt;response pointer to the caller only after<br /> the hash entry is removed under the lock.<br /> - Returning NULL in the error path, preserving the original API<br /> semantics.<br /> <br /> This makes all accesses to entry-&gt;response consistent with<br /> handle_response(), which already updates and fills the response buffer<br /> under ipc_msg_table_lock, and closes the race that allowed the UAF.