CVE-2025-38527
- Source
- https://cve.org/CVERecord?id=CVE-2025-38527
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38527.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38527
- Downstream
- Related
- Published
- 2025-08-16T11:12:20.843Z
- Modified
- 2026-03-12T02:19:16.772902Z
- Summary
- smb: client: fix use-after-free in cifs_oplock_break
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix use-after-free in cifsoplockbreak
A race condition can occur in cifsoplockbreak() leading to a use-after-free of the cinode structure when unmounting:
cifsoplockbreak() cifsFileInfoput(cfile) cifsFileInfoputfinal() cifssbdeactive() [last ref, start releasing sb] killsb() killanonsuper() genericshutdownsuper() evictinodes() disposelist() evict() destroyinode() callrcu(&inode->ircu, icallback) spinlock(&cinode->openfilelock) <- OK [later] icallback() cifsfreeinode() kmemcachefree(cinode) spinunlock(&cinode->openfilelock) <- UAF cifsdoneoplock_break(cinode) <- UAF
The issue occurs when umount has already released its reference to the superblock. When cifsFileInfoput() calls cifssbdeactive(), this releases the last reference, triggering the immediate cleanup of all inodes under RCU. However, cifsoplockbreak() continues to access the cinode after this point, resulting in use-after-free.
Fix this by holding an extra reference to the superblock during the entire oplock break operation. This ensures that the superblock and its inodes remain valid until the oplock break completes.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38527.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc
- https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b
- https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995
- https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308
- https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210
- https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38527.json
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-38527
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb98749cac4a695f084a5ff076f4510b23e353ecdFixed4256a483fe58af66a46cbf3dc48ff26e580d3308Fixed0a4eec84d4d2c4085d4ed8630fd74e4b39033c1bFixed2baaf5bbab2ac474c4f92c10fcb3310f824db995Fixed09bce2138a30ef10d8821c8c3f73a4ab7a5726bcFixedda11bd4b697b393a207f19a2ed7d382a811a3ddcFixed705c79101ccf9edea5a00d761491a03ced314210
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected2429fcf06d3cb962693868ab0a927c9038f12a2dLast affected1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12Last affected53fc31a4853e30d6e8f142b824f724da27ff3e40Last affected8092ecc306d81186a64cda42411121f4d35aaff4Last affectedebac4d0adf68f8962bd82fcf483936edd6ec095b