CVE-2025-38179

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38179
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38179.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38179
Downstream
Published
2025-07-04T13:37:07Z
Modified
2025-10-18T02:54:14.532063Z
Summary
smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma()
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix maxsge overflow in smbextractfolioqto_rdma()

This fixes the following problem:

[ 749.901015] [ T8673] run fstests cifs/001 at 2025-06-17 09:40:30 [ 750.346409] [ T9870] ================================================================== [ 750.346814] [ T9870] BUG: KASAN: slab-out-of-bounds in smbsetsge+0x2cc/0x3b0 [cifs] [ 750.347330] [ T9870] Write of size 8 at addr ffff888011082890 by task xfsio/9870 [ 750.347705] [ T9870] [ 750.348077] [ T9870] CPU: 0 UID: 0 PID: 9870 Comm: xfsio Kdump: loaded Not tainted 6.16.0-rc2-metze.02+ #1 PREEMPT(voluntary) [ 750.348082] [ T9870] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 750.348085] [ T9870] Call Trace: [ 750.348086] [ T9870] <TASK> [ 750.348088] [ T9870] dumpstacklvl+0x76/0xa0 [ 750.348106] [ T9870] printreport+0xd1/0x640 [ 750.348116] [ T9870] ? pfxrawspinlockirqsave+0x10/0x10 [ 750.348120] [ T9870] ? kasancompletemodereportinfo+0x26/0x210 [ 750.348124] [ T9870] kasanreport+0xe7/0x130 [ 750.348128] [ T9870] ? smbsetsge+0x2cc/0x3b0 [cifs] [ 750.348262] [ T9870] ? smbsetsge+0x2cc/0x3b0 [cifs] [ 750.348377] [ T9870] asanreportstore8noabort+0x17/0x30 [ 750.348381] [ T9870] smbsetsge+0x2cc/0x3b0 [cifs] [ 750.348496] [ T9870] smbdpostsenditer+0x1990/0x3070 [cifs] [ 750.348625] [ T9870] ? _pfxsmbdpostsenditer+0x10/0x10 [cifs] [ 750.348741] [ T9870] ? updatestackstate+0x2a0/0x670 [ 750.348749] [ T9870] ? cifsflush+0x153/0x320 [cifs] [ 750.348870] [ T9870] ? cifsflush+0x153/0x320 [cifs] [ 750.348990] [ T9870] ? updatestackstate+0x2a0/0x670 [ 750.348995] [ T9870] smbdsend+0x58c/0x9c0 [cifs] [ 750.349117] [ T9870] ? _pfxsmbdsend+0x10/0x10 [cifs] [ 750.349231] [ T9870] ? unwindgetreturnaddress+0x65/0xb0 [ 750.349235] [ T9870] ? _pfxstacktraceconsumeentry+0x10/0x10 [ 750.349242] [ T9870] ? archstackwalk+0xa7/0x100 [ 750.349250] [ T9870] ? stacktracesave+0x92/0xd0 [ 750.349254] [ T9870] _smbsendrqst+0x931/0xec0 [cifs] [ 750.349374] [ T9870] ? kerneltextaddress+0x173/0x190 [ 750.349379] [ T9870] ? kasansavestack+0x39/0x70 [ 750.349382] [ T9870] ? kasansavetrack+0x18/0x70 [ 750.349385] [ T9870] ? _kasanslaballoc+0x9d/0xa0 [ 750.349389] [ T9870] ? _pfxsmbsendrqst+0x10/0x10 [cifs] [ 750.349508] [ T9870] ? smb2midentryalloc+0xb4/0x7e0 [cifs] [ 750.349626] [ T9870] ? cifscallasync+0x277/0xb00 [cifs] [ 750.349746] [ T9870] ? cifsissuewrite+0x256/0x610 [cifs] [ 750.349867] [ T9870] ? netfsdoissuewrite+0xc2/0x340 [netfs] [ 750.349900] [ T9870] ? netfsadvancewrite+0x45b/0x1270 [netfs] [ 750.349929] [ T9870] ? netfswritefolio+0xd6c/0x1be0 [netfs] [ 750.349958] [ T9870] ? netfswritepages+0x2e9/0xa80 [netfs] [ 750.349987] [ T9870] ? dowritepages+0x21f/0x590 [ 750.349993] [ T9870] ? filemapfdatawritewbc+0xe1/0x140 [ 750.349997] [ T9870] ? entrySYSCALL64afterhwframe+0x76/0x7e [ 750.350002] [ T9870] smbsendrqst+0x22e/0x2f0 [cifs] [ 750.350131] [ T9870] ? pfxsmbsendrqst+0x10/0x10 [cifs] [ 750.350255] [ T9870] ? localclocknoinstr+0xe/0xd0 [ 750.350261] [ T9870] ? kasansaveallocinfo+0x37/0x60 [ 750.350268] [ T9870] ? _kasancheckwrite+0x14/0x30 [ 750.350271] [ T9870] ? _rawspinlock+0x81/0xf0 [ 750.350275] [ T9870] ? _pfxrawspinlock+0x10/0x10 [ 750.350278] [ T9870] ? smb2setupasyncrequest+0x293/0x580 [cifs] [ 750.350398] [ T9870] cifscallasync+0x477/0xb00 [cifs] [ 750.350518] [ T9870] ? pfxsmb2writevcallback+0x10/0x10 [cifs] [ 750.350636] [ T9870] ? _pfxcifscallasync+0x10/0x10 [cifs] [ 750.350756] [ T9870] ? _pfxrawspinlock+0x10/0x10 [ 750.350760] [ T9870] ? _kasancheckwrite+0x14/0x30 [ 750.350763] [ T98 ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c45ebd636c32d33c75e51ce977520ff146bd41a1
Fixed
8ae7814589d7bd850294ac14ec4c1725dafd42ca
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c45ebd636c32d33c75e51ce977520ff146bd41a1
Fixed
e0ba9b2f188166550296005e64b15e80db82ad8a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c45ebd636c32d33c75e51ce977520ff146bd41a1
Fixed
a379a8a2a0032e12e7ef397197c9c2ad011588d6

Affected versions

v6.*

v6.11
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.16-rc1
v6.16-rc2

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e0ba9b2f188166550296005e64b15e80db82ad8a",
        "id": "CVE-2025-38179-15c1254b",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "292551759303889111301432762474223050732",
                "295591771032014596994436563809091314130",
                "326553190216952904397388238038675982611",
                "170302174953152035884845980410268105762",
                "239957810028468217804518808862951605933",
                "104738798331407837471655466389542971783",
                "40813719501817773048241537028931225543",
                "149217685247236973737154689280053473595",
                "136589721159872183239609900657080788691",
                "8780027662891014116592278702526973203",
                "243011495834574630078948635282121805403",
                "269069983158618218815025728677604796548"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "fs/smb/client/smbdirect.c"
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e0ba9b2f188166550296005e64b15e80db82ad8a",
        "id": "CVE-2025-38179-3033254b",
        "digest": {
            "function_hash": "311714084900350436187808892785753813331",
            "length": 938.0
        },
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "smb_extract_folioq_to_rdma",
            "file": "fs/smb/client/smbdirect.c"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ae7814589d7bd850294ac14ec4c1725dafd42ca",
        "id": "CVE-2025-38179-340237d0",
        "digest": {
            "function_hash": "311714084900350436187808892785753813331",
            "length": 938.0
        },
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "smb_extract_folioq_to_rdma",
            "file": "fs/smb/client/smbdirect.c"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ae7814589d7bd850294ac14ec4c1725dafd42ca",
        "id": "CVE-2025-38179-395647f0",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "292551759303889111301432762474223050732",
                "295591771032014596994436563809091314130",
                "326553190216952904397388238038675982611",
                "170302174953152035884845980410268105762",
                "239957810028468217804518808862951605933",
                "104738798331407837471655466389542971783",
                "40813719501817773048241537028931225543",
                "149217685247236973737154689280053473595",
                "136589721159872183239609900657080788691",
                "8780027662891014116592278702526973203",
                "243011495834574630078948635282121805403",
                "269069983158618218815025728677604796548"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "fs/smb/client/smbdirect.c"
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a379a8a2a0032e12e7ef397197c9c2ad011588d6",
        "id": "CVE-2025-38179-d61f811c",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "292551759303889111301432762474223050732",
                "295591771032014596994436563809091314130",
                "326553190216952904397388238038675982611",
                "170302174953152035884845980410268105762",
                "239957810028468217804518808862951605933",
                "104738798331407837471655466389542971783",
                "40813719501817773048241537028931225543",
                "149217685247236973737154689280053473595",
                "136589721159872183239609900657080788691",
                "8780027662891014116592278702526973203",
                "243011495834574630078948635282121805403",
                "269069983158618218815025728677604796548"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "fs/smb/client/smbdirect.c"
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a379a8a2a0032e12e7ef397197c9c2ad011588d6",
        "id": "CVE-2025-38179-eabf29ad",
        "digest": {
            "function_hash": "311714084900350436187808892785753813331",
            "length": 938.0
        },
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "smb_extract_folioq_to_rdma",
            "file": "fs/smb/client/smbdirect.c"
        },
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.35
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.4