CVE-2025-38527

Source
https://cve.org/CVERecord?id=CVE-2025-38527
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38527.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38527
Downstream
Related
Published
2025-08-16T11:12:20.843Z
Modified
2026-05-18T05:57:28.725960736Z
Summary
smb: client: fix use-after-free in cifs_oplock_break
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix use-after-free in cifsoplockbreak

A race condition can occur in cifsoplockbreak() leading to a use-after-free of the cinode structure when unmounting:

cifsoplockbreak() cifsFileInfoput(cfile) cifsFileInfoputfinal() cifssbdeactive() [last ref, start releasing sb] killsb() killanonsuper() genericshutdownsuper() evictinodes() disposelist() evict() destroyinode() callrcu(&inode->ircu, icallback) spinlock(&cinode->openfilelock) <- OK [later] icallback() cifsfreeinode() kmemcachefree(cinode) spinunlock(&cinode->openfilelock) <- UAF cifsdoneoplock_break(cinode) <- UAF

The issue occurs when umount has already released its reference to the superblock. When cifsFileInfoput() calls cifssbdeactive(), this releases the last reference, triggering the immediate cleanup of all inodes under RCU. However, cifsoplockbreak() continues to access the cinode after this point, resulting in use-after-free.

Fix this by holding an extra reference to the superblock during the entire oplock break operation. This ensures that the superblock and its inodes remain valid until the oplock break completes.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38527.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b98749cac4a695f084a5ff076f4510b23e353ecd
Fixed
4256a483fe58af66a46cbf3dc48ff26e580d3308
Fixed
0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b
Fixed
2baaf5bbab2ac474c4f92c10fcb3310f824db995
Fixed
09bce2138a30ef10d8821c8c3f73a4ab7a5726bc
Fixed
da11bd4b697b393a207f19a2ed7d382a811a3ddc
Fixed
705c79101ccf9edea5a00d761491a03ced314210
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2429fcf06d3cb962693868ab0a927c9038f12a2d
Last affected
1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12
Last affected
53fc31a4853e30d6e8f142b824f724da27ff3e40
Last affected
8092ecc306d81186a64cda42411121f4d35aaff4
Last affected
ebac4d0adf68f8962bd82fcf483936edd6ec095b

Affected versions

v2.*
v2.6.12-rc2
v2.6.12-rc3
v2.6.12-rc4
v2.6.13
v2.6.13-rc1
v2.6.13-rc2
v2.6.13-rc3
v2.6.13-rc4
v2.6.13-rc5
v2.6.13-rc6
v2.6.13-rc7
v2.6.14-rc1
v2.6.14-rc2
v2.6.14-rc3
v2.6.15-rc1
v2.6.15-rc2
v2.6.15-rc4
v2.6.15-rc5
v2.6.15-rc7
v2.6.16
v2.6.16-rc1
v2.6.16-rc2
v2.6.16-rc3
v2.6.16-rc4
v2.6.16-rc5
v2.6.16-rc6
v2.6.17
v2.6.17-rc1
v2.6.17-rc2
v2.6.17-rc3
v2.6.17-rc4
v2.6.17-rc5
v2.6.17-rc6
v2.6.18
v2.6.18-rc1
v2.6.18-rc2
v2.6.18-rc3
v2.6.18-rc5
v2.6.18-rc6
v2.6.19-rc1
v2.6.19-rc2
v2.6.20-rc1
v2.6.20-rc2
v2.6.20-rc3
v2.6.20-rc4
v2.6.20-rc5
v2.6.20-rc6
v2.6.20-rc7
v2.6.21
v2.6.21-rc1
v2.6.21-rc2
v2.6.21-rc3
v2.6.21-rc4
v2.6.21-rc5
v2.6.21-rc6
v2.6.21-rc7
v2.6.22
v2.6.22-rc1
v2.6.22-rc2
v2.6.22-rc3
v2.6.22-rc4
v2.6.22-rc5
v2.6.22-rc6
v2.6.22-rc7
v2.6.23
v2.6.23-rc1
v2.6.23-rc2
v2.6.23-rc3
v2.6.23-rc4
v2.6.23-rc5
v2.6.23-rc6
v2.6.23-rc7
v2.6.23-rc8
v2.6.23-rc9
v2.6.24
v2.6.24-rc1
v2.6.24-rc2
v2.6.24-rc3
v2.6.24-rc4
v2.6.24-rc5
v2.6.24-rc6
v2.6.24-rc7
v2.6.24-rc8
v2.6.25
v2.6.25-rc1
v2.6.25-rc2
v2.6.25-rc3
v2.6.25-rc4
v2.6.25-rc5
v2.6.25-rc6
v2.6.25-rc7
v2.6.25-rc8
v2.6.25-rc9
v2.6.26
v2.6.26-rc1
v2.6.26-rc2
v2.6.26-rc3
v2.6.26-rc4
v2.6.26-rc5
v2.6.26-rc6
v2.6.26-rc7
v2.6.26-rc8
v2.6.26-rc9
v2.6.27
v2.6.27-rc1
v2.6.27-rc2
v2.6.27-rc3
v2.6.27-rc4
v2.6.27-rc5
v2.6.27-rc6
v2.6.27-rc7
v2.6.27-rc8
v2.6.27-rc9
v2.6.28
v2.6.28-rc1
v2.6.28-rc2
v2.6.28-rc3
v2.6.28-rc4
v2.6.28-rc5
v2.6.28-rc6
v2.6.28-rc7
v2.6.28-rc8
v2.6.28-rc9
v2.6.29
v2.6.29-rc1
v2.6.29-rc2
v2.6.29-rc3
v2.6.29-rc4
v2.6.29-rc5
v2.6.29-rc6
v2.6.29-rc7
v2.6.29-rc8
v2.6.30
v2.6.30-rc1
v2.6.30-rc2
v2.6.30-rc3
v2.6.30-rc4
v2.6.30-rc5
v2.6.30-rc6
v2.6.30-rc7
v2.6.30-rc8
v2.6.31
v2.6.31-rc1
v2.6.31-rc2
v2.6.31-rc3
v2.6.31-rc4
v2.6.31-rc5
v2.6.31-rc6
v2.6.31-rc7
v2.6.31-rc8
v2.6.31-rc9
v2.6.32
v2.6.32-rc1
v2.6.32-rc2
v2.6.32-rc3
v2.6.32-rc4
v2.6.32-rc5
v2.6.32-rc6
v2.6.32-rc7
v2.6.32-rc8
v2.6.33
v2.6.33-rc1
v2.6.33-rc2
v2.6.33-rc3
v2.6.33-rc4
v2.6.33-rc5
v2.6.33-rc6
v2.6.33-rc7
v2.6.33-rc8
v2.6.34
v2.6.34-rc1
v2.6.34-rc2
v2.6.34-rc3
v2.6.34-rc4
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v2.6.35
v2.6.35-rc1
v2.6.35-rc2
v2.6.35-rc3
v2.6.35-rc4
v2.6.35-rc5
v2.6.35-rc6
v2.6.36
v2.6.36-rc1
v2.6.36-rc2
v2.6.36-rc3
v2.6.36-rc4
v2.6.36-rc5
v2.6.36-rc6
v2.6.36-rc7
v2.6.36-rc8
v2.6.37
v2.6.37-rc1
v2.6.37-rc2
v2.6.37-rc3
v2.6.37-rc4
v2.6.37-rc5
v2.6.37-rc6
v2.6.37-rc7
v2.6.37-rc8
v2.6.38
v2.6.38-rc1
v2.6.38-rc2
v2.6.38-rc3
v2.6.38-rc4
v2.6.38-rc5
v2.6.38-rc6
v2.6.38-rc7
v2.6.38-rc8
v2.6.39
v2.6.39-rc1
v2.6.39-rc2
v2.6.39-rc3
v2.6.39-rc4
v2.6.39-rc5
v2.6.39-rc6
v2.6.39-rc7
v3.*
v3.0
v3.0-rc1
v3.0-rc2
v3.0-rc3
v3.0-rc4
v3.0-rc5
v3.0-rc6
v3.0-rc7
v3.1
v3.1-rc1
v3.1-rc10
v3.1-rc2
v3.1-rc3
v3.1-rc4
v3.1-rc5
v3.1-rc6
v3.1-rc7
v3.1-rc8
v3.1-rc9
v3.10
v3.10-rc1
v3.10-rc2
v3.10-rc3
v3.10-rc4
v3.10-rc5
v3.10-rc6
v3.10-rc7
v3.11
v3.11-rc1
v3.11-rc2
v3.11-rc3
v3.11-rc4
v3.11-rc5
v3.11-rc6
v3.11-rc7
v3.12
v3.12-rc1
v3.12-rc2
v3.12-rc3
v3.12-rc4
v3.12-rc5
v3.12-rc6
v3.12-rc7
v3.13
v3.13-rc1
v3.13-rc2
v3.13-rc3
v3.13-rc4
v3.13-rc5
v3.13-rc6
v3.13-rc7
v3.13-rc8
v3.14
v3.14-rc1
v3.14-rc2
v3.14-rc3
v3.14-rc4
v3.14-rc5
v3.14-rc6
v3.14-rc7
v3.14-rc8
v3.15
v3.15-rc1
v3.15-rc2
v3.15-rc3
v3.15-rc4
v3.15-rc5
v3.15-rc6
v3.15-rc7
v3.15-rc8
v3.16
v3.16-rc1
v3.16-rc2
v3.16-rc3
v3.16-rc4
v3.16-rc5
v3.16-rc6
v3.16-rc7
v3.16.1
v3.16.2
v3.16.3
v3.16.35
v3.16.36
v3.16.37
v3.16.38
v3.16.39
v3.16.4
v3.16.40
v3.16.41
v3.16.42
v3.16.43
v3.16.44
v3.16.45
v3.16.46
v3.16.47
v3.16.48
v3.16.49
v3.16.5
v3.16.50
v3.16.51
v3.16.52
v3.16.53
v3.16.54
v3.16.55
v3.16.56
v3.16.57
v3.16.58
v3.16.59
v3.16.6
v3.16.60
v3.16.61
v3.16.62
v3.16.63
v3.16.64
v3.16.65
v3.16.66
v3.16.67
v3.16.68
v3.16.69
v3.16.7
v3.16.70
v3.16.71
v3.17
v3.17-rc1
v3.17-rc2
v3.17-rc3
v3.17-rc4
v3.17-rc5
v3.17-rc6
v3.17-rc7
v3.18
v3.18-rc1
v3.18-rc2
v3.18-rc3
v3.18-rc4
v3.18-rc5
v3.18-rc6
v3.18-rc7
v3.19
v3.19-rc1
v3.19-rc2
v3.19-rc3
v3.19-rc4
v3.19-rc5
v3.19-rc6
v3.19-rc7
v3.2
v3.2-rc1
v3.2-rc2
v3.2-rc3
v3.2-rc4
v3.2-rc5
v3.2-rc6
v3.2-rc7
v3.3
v3.3-rc1
v3.3-rc2
v3.3-rc3
v3.3-rc4
v3.3-rc5
v3.3-rc6
v3.3-rc7
v3.4
v3.4-rc1
v3.4-rc2
v3.4-rc3
v3.4-rc4
v3.4-rc5
v3.4-rc6
v3.4-rc7
v3.5
v3.5-rc1
v3.5-rc2
v3.5-rc3
v3.5-rc4
v3.5-rc5
v3.5-rc6
v3.5-rc7
v3.6
v3.6-rc1
v3.6-rc2
v3.6-rc3
v3.6-rc4
v3.6-rc5
v3.6-rc6
v3.6-rc7
v3.7
v3.7-rc1
v3.7-rc2
v3.7-rc3
v3.7-rc4
v3.7-rc5
v3.7-rc6
v3.7-rc7
v3.7-rc8
v3.8
v3.8-rc1
v3.8-rc2
v3.8-rc3
v3.8-rc4
v3.8-rc5
v3.8-rc6
v3.8-rc7
v3.9
v3.9-rc1
v3.9-rc2
v3.9-rc3
v3.9-rc4
v3.9-rc5
v3.9-rc6
v3.9-rc7
v3.9-rc8
v4.*
v4.0
v4.0-rc1
v4.0-rc2
v4.0-rc3
v4.0-rc4
v4.0-rc5
v4.0-rc6
v4.0-rc7
v4.1
v4.1-rc1
v4.1-rc2
v4.1-rc3
v4.1-rc4
v4.1-rc5
v4.1-rc6
v4.1-rc7
v4.1-rc8
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.14.1
v4.14.10
v4.14.100
v4.14.101
v4.14.102
v4.14.103
v4.14.104
v4.14.105
v4.14.106
v4.14.107
v4.14.108
v4.14.109
v4.14.11
v4.14.110
v4.14.111
v4.14.112
v4.14.113
v4.14.12
v4.14.13
v4.14.14
v4.14.15
v4.14.16
v4.14.17
v4.14.18
v4.14.19
v4.14.2
v4.14.20
v4.14.21
v4.14.22
v4.14.23
v4.14.24
v4.14.25
v4.14.26
v4.14.27
v4.14.28
v4.14.29
v4.14.3
v4.14.30
v4.14.31
v4.14.32
v4.14.33
v4.14.34
v4.14.35
v4.14.36
v4.14.37
v4.14.38
v4.14.39
v4.14.4
v4.14.40
v4.14.41
v4.14.42
v4.14.43
v4.14.44
v4.14.45
v4.14.46
v4.14.47
v4.14.48
v4.14.49
v4.14.5
v4.14.50
v4.14.51
v4.14.52
v4.14.53
v4.14.54
v4.14.55
v4.14.56
v4.14.57
v4.14.58
v4.14.59
v4.14.6
v4.14.60
v4.14.61
v4.14.62
v4.14.63
v4.14.64
v4.14.65
v4.14.66
v4.14.67
v4.14.68
v4.14.69
v4.14.7
v4.14.70
v4.14.71
v4.14.72
v4.14.73
v4.14.74
v4.14.75
v4.14.76
v4.14.77
v4.14.78
v4.14.79
v4.14.8
v4.14.80
v4.14.81
v4.14.82
v4.14.83
v4.14.84
v4.14.85
v4.14.86
v4.14.87
v4.14.88
v4.14.89
v4.14.9
v4.14.90
v4.14.91
v4.14.92
v4.14.93
v4.14.94
v4.14.95
v4.14.96
v4.14.97
v4.14.98
v4.14.99
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.19.1
v4.19.10
v4.19.11
v4.19.12
v4.19.13
v4.19.14
v4.19.15
v4.19.16
v4.19.17
v4.19.18
v4.19.19
v4.19.2
v4.19.20
v4.19.21
v4.19.22
v4.19.23
v4.19.24
v4.19.25
v4.19.26
v4.19.27
v4.19.28
v4.19.29
v4.19.3
v4.19.30
v4.19.31
v4.19.32
v4.19.33
v4.19.34
v4.19.35
v4.19.36
v4.19.4
v4.19.5
v4.19.6
v4.19.7
v4.19.8
v4.19.9
v4.2
v4.2-rc1
v4.2-rc2
v4.2-rc3
v4.2-rc4
v4.2-rc5
v4.2-rc6
v4.2-rc7
v4.2-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v4.3
v4.3-rc1
v4.3-rc2
v4.3-rc3
v4.3-rc4
v4.3-rc5
v4.3-rc6
v4.3-rc7
v4.4
v4.4-rc1
v4.4-rc2
v4.4-rc3
v4.4-rc4
v4.4-rc5
v4.4-rc6
v4.4-rc7
v4.4-rc8
v4.5
v4.5-rc1
v4.5-rc2
v4.5-rc3
v4.5-rc4
v4.5-rc5
v4.5-rc6
v4.5-rc7
v4.6
v4.6-rc1
v4.6-rc2
v4.6-rc3
v4.6-rc4
v4.6-rc5
v4.6-rc6
v4.6-rc7
v4.7
v4.7-rc1
v4.7-rc2
v4.7-rc3
v4.7-rc4
v4.7-rc5
v4.7-rc6
v4.7-rc7
v4.8
v4.8-rc1
v4.8-rc2
v4.8-rc3
v4.8-rc4
v4.8-rc5
v4.8-rc6
v4.8-rc7
v4.8-rc8
v4.9
v4.9-rc1
v4.9-rc2
v4.9-rc3
v4.9-rc4
v4.9-rc5
v4.9-rc6
v4.9-rc7
v4.9-rc8
v4.9.1
v4.9.10
v4.9.100
v4.9.101
v4.9.102
v4.9.103
v4.9.104
v4.9.105
v4.9.106
v4.9.107
v4.9.108
v4.9.109
v4.9.11
v4.9.110
v4.9.111
v4.9.112
v4.9.113
v4.9.114
v4.9.115
v4.9.116
v4.9.117
v4.9.118
v4.9.119
v4.9.12
v4.9.120
v4.9.121
v4.9.122
v4.9.123
v4.9.124
v4.9.125
v4.9.126
v4.9.127
v4.9.128
v4.9.129
v4.9.13
v4.9.130
v4.9.131
v4.9.132
v4.9.133
v4.9.134
v4.9.135
v4.9.136
v4.9.137
v4.9.138
v4.9.139
v4.9.14
v4.9.140
v4.9.141
v4.9.142
v4.9.143
v4.9.144
v4.9.145
v4.9.146
v4.9.147
v4.9.148
v4.9.149
v4.9.15
v4.9.150
v4.9.151
v4.9.152
v4.9.153
v4.9.154
v4.9.155
v4.9.156
v4.9.157
v4.9.158
v4.9.159
v4.9.16
v4.9.160
v4.9.161
v4.9.162
v4.9.163
v4.9.164
v4.9.165
v4.9.166
v4.9.167
v4.9.168
v4.9.169
v4.9.17
v4.9.170
v4.9.18
v4.9.19
v4.9.2
v4.9.20
v4.9.21
v4.9.22
v4.9.23
v4.9.24
v4.9.25
v4.9.26
v4.9.27
v4.9.28
v4.9.29
v4.9.3
v4.9.30
v4.9.31
v4.9.32
v4.9.33
v4.9.34
v4.9.35
v4.9.36
v4.9.37
v4.9.38
v4.9.39
v4.9.4
v4.9.40
v4.9.41
v4.9.42
v4.9.43
v4.9.44
v4.9.45
v4.9.46
v4.9.47
v4.9.48
v4.9.49
v4.9.5
v4.9.50
v4.9.51
v4.9.52
v4.9.53
v4.9.54
v4.9.55
v4.9.56
v4.9.57
v4.9.58
v4.9.59
v4.9.6
v4.9.60
v4.9.61
v4.9.62
v4.9.63
v4.9.64
v4.9.65
v4.9.66
v4.9.67
v4.9.68
v4.9.69
v4.9.7
v4.9.70
v4.9.71
v4.9.72
v4.9.73
v4.9.74
v4.9.75
v4.9.76
v4.9.77
v4.9.78
v4.9.79
v4.9.8
v4.9.80
v4.9.81
v4.9.82
v4.9.83
v4.9.84
v4.9.85
v4.9.86
v4.9.87
v4.9.88
v4.9.89
v4.9.9
v4.9.90
v4.9.91
v4.9.92
v4.9.93
v4.9.94
v4.9.95
v4.9.96
v4.9.97
v4.9.98
v4.9.99
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38527.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Fixed
5.15.190
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.147
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.100
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.40
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.8

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38527.json"