CVE-2025-40084

Summary

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: transport_ipc: validate payload size before reading handle

handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing.

This is a minimal fix to guard the initial handle read.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < a02e432d5130da4c723aabe1205bac805889fdb2affected
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < 2dc125f5da134c0915a840b62565c60a595673ddaffected
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < 898d527ed94c19980a4d848f10057f1fed578ffbaffected
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < 867ffd9d67285612da3f0498ca618297f8e41f01affected
LinuxLinux0626e6641f6b467447c81dd7678a69c66f7746cf < 6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux6.1.158 <= 6.1.*unaffected
LinuxLinux6.6.115 <= 6.6.*unaffected
LinuxLinux6.12.56 <= 6.12.*unaffected
LinuxLinux6.17.6 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References