CVE-2025-38527

Summary

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix use-after-free in cifs_oplock_break

A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting:

cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start releasing sb] kill_sb() kill_anon_super() generic_shutdown_super() evict_inodes() dispose_list() evict() destroy_inode() call_rcu(&inode->i_rcu, i_callback) spin_lock(&cinode->open_file_lock) <- OK [later] i_callback() cifs_free_inode() kmem_cache_free(cinode) spin_unlock(&cinode->open_file_lock) <- UAF cifs_done_oplock_break(cinode) <- UAF

The issue occurs when umount has already released its reference to the superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this releases the last reference, triggering the immediate cleanup of all inodes under RCU. However, cifs_oplock_break() continues to access the cinode after this point, resulting in use-after-free.

Fix this by holding an extra reference to the superblock during the entire oplock break operation. This ensures that the superblock and its inodes remain valid until the oplock break completes.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb98749cac4a695f084a5ff076f4510b23e353ecd < 4256a483fe58af66a46cbf3dc48ff26e580d3308affected
LinuxLinuxb98749cac4a695f084a5ff076f4510b23e353ecd < 0a4eec84d4d2c4085d4ed8630fd74e4b39033c1baffected
LinuxLinuxb98749cac4a695f084a5ff076f4510b23e353ecd < 2baaf5bbab2ac474c4f92c10fcb3310f824db995affected
LinuxLinuxb98749cac4a695f084a5ff076f4510b23e353ecd < 09bce2138a30ef10d8821c8c3f73a4ab7a5726bcaffected
LinuxLinuxb98749cac4a695f084a5ff076f4510b23e353ecd < da11bd4b697b393a207f19a2ed7d382a811a3ddcaffected
LinuxLinuxb98749cac4a695f084a5ff076f4510b23e353ecd < 705c79101ccf9edea5a00d761491a03ced314210affected
LinuxLinux2429fcf06d3cb962693868ab0a927c9038f12a2daffected
LinuxLinux1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12affected
LinuxLinux53fc31a4853e30d6e8f142b824f724da27ff3e40affected
LinuxLinux8092ecc306d81186a64cda42411121f4d35aaff4affected
LinuxLinuxebac4d0adf68f8962bd82fcf483936edd6ec095baffected
LinuxLinux3.16.72 < 3.17affected
LinuxLinux4.9.171 < 4.10affected
LinuxLinux4.14.114 < 4.15affected
LinuxLinux4.19.37 < 4.20affected
LinuxLinux5.0.10 < 5.1affected
LinuxLinux5.1affected
LinuxLinux0 < 5.1unaffected
LinuxLinux5.15.190 <= 5.15.*unaffected
LinuxLinux6.1.147 <= 6.1.*unaffected
LinuxLinux6.6.100 <= 6.6.*unaffected
LinuxLinux6.12.40 <= 6.12.*unaffected
LinuxLinux6.15.8 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References