CVE-2025-38523
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-16

Last updated on: 2025-11-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the smbd_response slab to allow usercopy The handling of received data in the smbdirect client code involves using copy_to_iter() to copy data from the smbd_reponse struct's packet trailer to a folioq buffer provided by netfslib that encapsulates a chunk of pagecache. If, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks then performed in copy_to_iter() oopsing with something like the following: CIFS: Attempting to mount //172.31.9.1/test CIFS: VFS: RDMA transport established usercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102! ... RIP: 0010:usercopy_abort+0x6c/0x80 ... Call Trace: <TASK> __check_heap_object+0xe3/0x120 __check_object_size+0x4dc/0x6d0 smbd_recv+0x77f/0xfe0 [cifs] cifs_readv_from_socket+0x276/0x8f0 [cifs] cifs_read_from_socket+0xcd/0x120 [cifs] cifs_demultiplex_thread+0x7e9/0x2d50 [cifs] kthread+0x396/0x830 ret_from_fork+0x2b8/0x3b0 ret_from_fork_asm+0x1a/0x30 The problem is that the smbd_response slab's packet field isn't marked as being permitted for usercopy. Fix this by passing parameters to kmem_slab_create() to indicate that copy_to_iter() is permitted from the packet region of the smbd_response slab objects, less the header space.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-16
Last Modified
2025-11-18
Generated
2026-05-06
AI Q&A
2025-08-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38523
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's CIFS (Common Internet File System) client code, specifically in the handling of received data in the smbd_response slab. The issue arises because the packet field in the smbd_response slab is not marked as permitted for usercopy operations. When CONFIG_HARDENED_USERCOPY is enabled, the kernel's copy_to_iter() function, which copies data from the smbd_response struct to a buffer, triggers a kernel oops (crash) due to security checks detecting an invalid usercopy attempt. The fix involves marking the packet region of the smbd_response slab as permitted for usercopy to prevent this crash.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash (kernel BUG) when the CIFS client attempts to copy data from the smbd_response slab if hardened usercopy protections are enabled. This can lead to denial of service by crashing the system or the CIFS client, potentially disrupting access to network file shares.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing kernel logs for oops messages related to usercopy failures in the CIFS smbd_response slab. Specifically, look for messages like 'usercopy: Kernel memory exposure attempt detected from SLUB object smbd_response' and kernel BUG traces referencing usercopy_abort and smbd_recv. You can check the kernel log using commands such as 'dmesg | grep usercopy' or 'journalctl -k | grep usercopy' to identify these errors.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version where the smbd_response slab is properly marked to allow usercopy, as the vulnerability is fixed by passing parameters to kmem_slab_create() to permit copy_to_iter() from the packet region. Until an update is applied, monitoring for kernel oops messages and avoiding mounting CIFS shares that trigger this issue may reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart