CVE-2025-40084

handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing.

This is a minimal fix to guard the initial handle read.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40084.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0626e6641f6b467447c81dd7678a69c66f7746cf

Fixed

a02e432d5130da4c723aabe1205bac805889fdb2

Fixed

2dc125f5da134c0915a840b62565c60a595673dd

Fixed

898d527ed94c19980a4d848f10057f1fed578ffb

Fixed

867ffd9d67285612da3f0498ca618297f8e41f01

Fixed

6f40e50ceb99fc8ef37e5c56e2ec1d162733fef0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40084.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.0

Fixed

6.1.158

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.115

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.56

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40084.json"