smb3: fix for slab out of bounds on mount to ksmbd

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2025-38728
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2025-09-04 16:15:42 UTC
Updated2026-05-12 13:17:03 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, BIOS 2.13.1 06/14/2019 Call Trace: <TASK> dump_stack_lvl+0x9f/0xf0 print_report+0xd1/0x670 __virt_addr_valid+0x22c/0x430 ? parse_server_interfaces+0x14ee/0x1880 [cifs] ? kasan_complete_mode_report_info+0x2a/0x1f0 ? parse_server_interfaces+0x14ee/0x1880 [cifs] kasan_report+0xd6/0x110 parse_server_interfaces+0x14ee/0x1880 [cifs] __asan_report_load_n_noabort+0x13/0x20 parse_server_interfaces+0x14ee/0x1880 [cifs] ? __pfx_parse_server_interfaces+0x10/0x10 [cifs] ? trace_hardirqs_on+0x51/0x60 SMB3_request_interfaces+0x1ad/0x3f0 [cifs] ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs] ? SMB2_tcon+0x23c/0x15d0 [cifs] smb3_qfs_tcon+0x173/0x2b0 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] ? cifs_get_tcon+0x105d/0x2120 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_get_tcon+0x105d/0x2120 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] cifs_mount_get_tcon+0x369/0xb90 [cifs] ? dfs_cache_find+0xe7/0x150 [cifs] dfs_mount_share+0x985/0x2970 [cifs] ? check_path.constprop.0+0x28/0x50 ? save_trace+0x54/0x370 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? __lock_acquire+0xb82/0x2ba0 ? __kasan_check_write+0x18/0x20 cifs_mount+0xbc/0x9e0 [cifs] ? __pfx_cifs_mount+0x10/0x10 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_setup_cifs_sb+0x29d/0x810 [cifs] cifs_smb3_do_mount+0x263/0x1990 [cifs]

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Problem Types: CWE-125

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected fe856be475f7cf5ffcde57341d175ce9fd09434b 9bdb8e98a0073c73ab3e6c631ec78877ceb64565 git Not specified
CNA Linux Linux affected fe856be475f7cf5ffcde57341d175ce9fd09434b a0620e1525663edd8c4594f49fb75fe5be4724b0 git Not specified
CNA Linux Linux affected fe856be475f7cf5ffcde57341d175ce9fd09434b 8de33d4d72e8fae3502ec3850bd7b14e7c7328b6 git Not specified
CNA Linux Linux affected fe856be475f7cf5ffcde57341d175ce9fd09434b a542f93a123555d09c3ce8bc947f7b56ad8e6463 git Not specified
CNA Linux Linux affected fe856be475f7cf5ffcde57341d175ce9fd09434b f6eda5b0e8f8123564c5b34f5801d63243032eac git Not specified
CNA Linux Linux affected fe856be475f7cf5ffcde57341d175ce9fd09434b 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc git Not specified
CNA Linux Linux affected 4.18 Not specified
CNA Linux Linux unaffected 4.18 semver Not specified
CNA Linux Linux unaffected 6.1.149 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.103 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.43 6.12.* semver Not specified
CNA Linux Linux unaffected 6.15.11 6.15.* semver Not specified
CNA Linux Linux unaffected 6.16.2 6.16.* semver Not specified
CNA Linux Linux unaffected 6.17 * original_commit_for_fix Not specified
ADP Siemens SIMATIC CN 4100 affected V5.0 custom Not specified

References

ReferenceSourceLinkTags
lists.debian.org/debian-lts-announce/2025/10/msg00008.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org Mailing List, Third Party Advisory
git.kernel.org/stable/c/a542f93a123555d09c3ce8bc947f7b56ad8e6463 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/9bdb8e98a0073c73ab3e6c631ec78877ceb64565 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/7d34ec36abb84fdfb6632a0f2cbda90379ae21fc 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
cert-portal.siemens.com/productcert/html/ssa-032379.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/f6eda5b0e8f8123564c5b34f5801d63243032eac 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/a0620e1525663edd8c4594f49fb75fe5be4724b0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/8de33d4d72e8fae3502ec3850bd7b14e7c7328b6 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report