CVE-2025-40039
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix race condition in RPC handle list access The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd session. Access to this list is intended to be protected by 'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was flawed, leading to potential race conditions. In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock before calling xa_store() and xa_erase(). Since these operations modify the XArray structure, a write lock is required to ensure exclusive access and prevent data corruption from concurrent modifications. Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load() without holding any lock at all. This could lead to reading inconsistent data or a potential use-after-free if an entry is concurrently removed and the pointer is dereferenced. Fix these issues by: 1. Using down_write() and up_write() in ksmbd_session_rpc_open() to ensure exclusive access during XArray modification, and ensuring the lock is correctly released on error paths. 2. Adding down_read() and up_read() in ksmbd_session_rpc_method() to safely protect the lookup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2025-10-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40039
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.145 (inc) to 5.16 (exc)
linux linux_kernel From 6.13 (inc) to 6.17.3 (exc)
linux linux_kernel From 6.1.71 (inc) to 6.2 (exc)
linux linux_kernel From 6.3 (inc) to 6.6.123 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.53 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's ksmbd component related to the management of RPC handles within a session. The 'sess->rpc_handle_list' XArray is supposed to be protected by a read-write lock ('sess->rpc_lock'), but the locking was implemented incorrectly. Specifically, the code used a read lock when modifying the list, which requires a write lock, and in some cases accessed the list without any lock. This flaw could lead to data corruption or use-after-free errors due to concurrent access without proper synchronization.

Impact Analysis

The vulnerability can lead to data corruption or use-after-free conditions in the ksmbd session's RPC handle list. This can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the race condition in concurrent access to the RPC handle list.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the ksmbd race condition in RPC handle list access is fixed. The fix involves proper locking using down_write()/up_write() and down_read()/up_read() to protect the rpc_handle_list XArray. Until the update is applied, avoid using vulnerable ksmbd sessions that may trigger concurrent modifications to the rpc_handle_list.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40039. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart