Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38728

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
04/09/2025
Last modified:
08/01/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb3: fix for slab out of bounds on mount to ksmbd<br /> <br /> With KASAN enabled, it is possible to get a slab out of bounds<br /> during mount to ksmbd due to missing check in parse_server_interfaces()<br /> (see below):<br /> <br /> BUG: KASAN: slab-out-of-bounds in<br /> parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> Read of size 4 at addr ffff8881433dba98 by task mount/9827<br /> <br /> CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G<br /> OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,<br /> BIOS 2.13.1 06/14/2019<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x9f/0xf0<br /> print_report+0xd1/0x670<br /> __virt_addr_valid+0x22c/0x430<br /> ? parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> ? kasan_complete_mode_report_info+0x2a/0x1f0<br /> ? parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> kasan_report+0xd6/0x110<br /> parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> __asan_report_load_n_noabort+0x13/0x20<br /> parse_server_interfaces+0x14ee/0x1880 [cifs]<br /> ? __pfx_parse_server_interfaces+0x10/0x10 [cifs]<br /> ? trace_hardirqs_on+0x51/0x60<br /> SMB3_request_interfaces+0x1ad/0x3f0 [cifs]<br /> ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]<br /> ? SMB2_tcon+0x23c/0x15d0 [cifs]<br /> smb3_qfs_tcon+0x173/0x2b0 [cifs]<br /> ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]<br /> ? cifs_get_tcon+0x105d/0x2120 [cifs]<br /> ? do_raw_spin_unlock+0x5d/0x200<br /> ? cifs_get_tcon+0x105d/0x2120 [cifs]<br /> ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]<br /> cifs_mount_get_tcon+0x369/0xb90 [cifs]<br /> ? dfs_cache_find+0xe7/0x150 [cifs]<br /> dfs_mount_share+0x985/0x2970 [cifs]<br /> ? check_path.constprop.0+0x28/0x50<br /> ? save_trace+0x54/0x370<br /> ? __pfx_dfs_mount_share+0x10/0x10 [cifs]<br /> ? __lock_acquire+0xb82/0x2ba0<br /> ? __kasan_check_write+0x18/0x20<br /> cifs_mount+0xbc/0x9e0 [cifs]<br /> ? __pfx_cifs_mount+0x10/0x10 [cifs]<br /> ? do_raw_spin_unlock+0x5d/0x200<br /> ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]<br /> cifs_smb3_do_mount+0x263/0x1990 [cifs]

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): High

Base Score 3.x
7.10
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.18.1 (including) 6.1.149 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.103 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.43 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.16 (including) 6.16.2 (excluding)
cpe:2.3:o:linux:linux_kernel:4.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.18:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.18:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.18:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.18:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.18:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.18:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.18:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools