CVE-2025-37952

Summary

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: Fix UAF in __close_file_table_ids

A use-after-free is possible if one thread destroys the file via __ksmbd_close_fd while another thread holds a reference to it. The existing checks on fp->refcount are not sufficient to prevent this.

The fix takes ft->lock around the section which removes the file from the file table. This prevents two threads acquiring the same file pointer via __close_file_table_ids, as well as the other functions which retrieve a file from the IDR and which already use this same lock.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < fec1f9e9a650e8e7011330a085c77e7bf2a08ea9affected
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < 9e9841e232b51171ddf3bc4ee517d5d28dc8cad6affected
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < 16727e442568a46d9cca69fe2595896de86e120daffected
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < 36991c1ccde2d5a521577c448ffe07fcccfe104daffected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux6.6.91 <= 6.6.*unaffected
LinuxLinux6.12.29 <= 6.12.*unaffected
LinuxLinux6.14.7 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

References