CVE-2025-40320

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-40320
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40320.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40320
Downstream
Related
Published
2025-12-08T00:46:47.670Z
Modified
2026-03-20T12:43:15.980237Z
Summary
smb: client: fix potential cfid UAF in smb2_query_info_compound
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential cfid UAF in smb2queryinfo_compound

When smb2queryinfo_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free.

Reinitialize cfid to NULL under the replay label.

Example trace (trimmed):

refcountt: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcountwarnsaturate+0x9c/0x110 [...] RIP: 0010:refcountwarnsaturate+0x9c/0x110 [...] Call Trace: <TASK> smb2queryinfocompound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimizepath+0x28/0x60 smb2queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmemcachealloc+0x18a/0x340 ? getnameflags+0x46/0x1e0 cifsstatfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfsbydentry+0x67/0x90 vfsstatfs+0x16/0xd0 user_statfs+0x54/0xa0 __dosysstatfs+0x20/0x50 dosyscall64+0x58/0x80

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40320.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
433042a91f9373241307725b52de573933ffedbf
Fixed
939c4e33005e2a56ea8fcedddf0da92df864bd3b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4f1fffa2376922f3d1d506e49c0fd445b023a28e
Fixed
327f89c21601ebb7889f8c97754b76f08ce95a0c
Fixed
b556c278d43f4707a9073ca74d55581b4f279806
Fixed
5c76f9961c170552c1d07c830b5e145475151600

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40320.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.117
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.58
Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.17.8

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40320.json"