GHSA-f255-x52r-mjq5

Опубликовано: 09 дек. 2025

Источник: github

Github: Не прошло ревью

Описание

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential UAF in smb2_close_cached_fid()

find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free.

Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential UAF in smb2_close_cached_fid()

find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free.

Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.

Ссылки

EPSS

Процентиль: 6%

0.00025

Низкий

CVE ID

CVE-2025-40328

Связанные уязвимости

CVE-2025-40328

ubuntu

около 2 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.