CVE-2025-38527
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38527
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38527.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38527
- Downstream
- Related
- Published
- 2025-08-16T12:15:28Z
- Modified
- 2025-08-30T18:01:36Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix use-after-free in cifsoplockbreak
A race condition can occur in cifsoplockbreak() leading to a use-after-free of the cinode structure when unmounting:
cifsoplockbreak() cifsFileInfoput(cfile) cifsFileInfoputfinal() cifssbdeactive() [last ref, start releasing sb] killsb() killanonsuper() genericshutdownsuper() evictinodes() disposelist() evict() destroyinode() callrcu(&inode->ircu, icallback) spinlock(&cinode->openfilelock) <- OK [later] icallback() cifsfreeinode() kmemcachefree(cinode) spinunlock(&cinode->openfilelock) <- UAF cifsdoneoplock_break(cinode) <- UAF
The issue occurs when umount has already released its reference to the superblock. When cifsFileInfoput() calls cifssbdeactive(), this releases the last reference, triggering the immediate cleanup of all inodes under RCU. However, cifsoplockbreak() continues to access the cinode after this point, resulting in use-after-free.
Fix this by holding an extra reference to the superblock during the entire oplock break operation. This ensures that the superblock and its inodes remain valid until the oplock break completes.
- References
-
- https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc
- https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b
- https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995
- https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308
- https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210
- https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc