AZL-69737

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69737.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-69737

Upstream

CVE-2025-37750

Published

2025-05-01T13:15:53Z

Modified

2026-04-01T05:20:44.665994Z

Summary

CVE-2025-37750 affecting package kernel 6.6.126.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix UAF in decryption with multichannel

After commit f7025d861694 ("smb: client: allocate crypto only for primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in async decryption"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption.

This fixes the following KASAN splat when running fstest generic/249 with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows Server 2022:

BUG: KASAN: slab-use-after-free in gf128mul4klle+0xba/0x110 Read of size 8 at addr ffff8881046c18a0 by task cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x5d/0x80 printreport+0x156/0x528 ? gf128mul4k_lle+0xba/0x110 ? __virtaddrvalid+0x145/0x300 ? __physaddr+0x46/0x90 ? gf128mul4klle+0xba/0x110 kasanreport+0xdf/0x1a0 ? gf128mul_4klle+0xba/0x110 gf128mul4klle+0xba/0x110 ghashupdate+0x189/0x210 shashahashupdate+0x295/0x370 ? __pfxshashahash_update+0x10/0x10 ? __pfxshashahash_update+0x10/0x10 ? __pfxextractitertosg+0x10/0x10 ? ___kmalloclargenode+0x10e/0x180 ? __asanmemset+0x23/0x50 cryptoahashupdate+0x3c/0xc0 gcmhashassocremaincontinue+0x93/0xc0 cryptmessage+0xe09/0xec0 [cifs] ? __pfxcryptmessage+0x10/0x10 [cifs] ? rawspin_unlock+0x23/0x40 ? __pfxcifsreadvfromsocket+0x10/0x10 [cifs] decryptrawdata+0x229/0x380 [cifs] ? __pfxdecryptraw_data+0x10/0x10 [cifs] ? __pfxcifsread_iterfromsocket+0x10/0x10 [cifs] smb3receivetransform+0x837/0xc80 [cifs] ? __pfxsmb3receive_transform+0x10/0x10 [cifs] ? pfxmightresched+0x10/0x10 ? __pfxsmb3istransformhdr+0x10/0x10 [cifs] cifsdemultiplexthread+0x692/0x1570 [cifs] ? __pfxcifsdemultiplexthread+0x10/0x10 [cifs] ? rcuiswatching+0x20/0x50 ? rculockdepcurrentcpuonline+0x62/0xb0 ? findheldlock+0x32/0x90 ? kvmschedclockread+0x11/0x20 ? localclocknoinstr+0xd/0xd0 ? traceirqenable.constprop.0+0xa8/0xe0 ? __pfxcifsdemultiplex_thread+0x10/0x10 [cifs] kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfxkthread+0x10/0x10 ? localclock_noinstr+0xd/0xd0 ? retfromfork+0x1b/0x60 ? localclock+0x15/0x30 ? lockrelease+0x29b/0x390 ? rcuiswatching+0x20/0x50 ? __pfxkthread+0x10/0x10 retfrom_fork+0x31/0x60 ? __pfxkthread+0x10/0x10 retfromforkasm+0x1a/0x30 </TASK>

References

https://nvd.nist.gov/vuln/detail/CVE-2025-37750

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

6.6.126.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69737.json"