CVE-2025-37778 - Vulnerability Details

- ksmbd: Fix dangling pointer in krb_authenticate

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: Fix dangling pointer in krb_authenticate

krb_authenticate frees sess->user and does not set the pointer
to NULL. It calls ksmbd_krb5_authenticate to reinitialise
sess->user but that function may return without doing so. If
that happens then smb2_sess_setup, which calls krb_authenticate,
will be accessing free'd memory when it later uses sess->user.

Published: 2025-05-01

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the krb_authenticate function frees session user data without nulling the pointer and may not reinitialize the pointer when reauthentication occurs. Subsequent SMB2 session setup functions then reference the freed memory, creating a use‑after‑free condition. The affected code may allow an attacker to trigger memory corruption that can lead to denial of service or arbitrary code execution, a classic CWE‑416 vulnerability.

Affected Systems

The flaw affects the Linux kernel shipped with Debian 11 and all Linux kernel releases up to and including the 6.15 release candidates (RC1 and RC2). All distributions carrying those kernel versions are potentially impacted until the patch is applied.

Risk and Exploitability

The CVSS score of 7.8 indicates a high impact, and the EPSS score of less than 1% suggests low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can likely exploit the flaw remotely by sending crafted SMB/Kerberos requests, as the code path is reachable from network traffic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< b61f04d5d73c53d183019bafe22fb700a739bac5
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< d5b554bc8d554ed6ddf443d3db2fad9f665cec10
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 1db2451de23e98bc864c6a6e52aa0d82c91cb325
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 6e30c0e10210c714f3d4453dc258d4abcc70364e
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< e83e39a5f6a01a81411a4558a59a10f87aa88dd6
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 1e440d5b25b7efccb3defe542a73c51005799a5f

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`5.15.203`	unaffected	≤ 5.15.*
`6.1.135`	unaffected	≤ 6.1.*
`6.6.88`	unaffected	≤ 6.6.*
`6.12.25`	unaffected	≤ 6.12.*
`6.14.4`	unaffected	≤ 6.14.*
`6.15`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc2::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to the latest stable version that contains the patch (e.g., kernel 6.15.3 or newer).
If a kernel upgrade cannot be performed immediately, disable SMB2/Kerberos authentication in the SMB configuration to eliminate the code path that exercises the vulnerable function.
After applying the upgrade or configuration change, restart the SMB service to ensure the patch takes effect and monitor logs for any access‑after‑free errors or crashes.

Generated by OpenCVE AI on April 20, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4193-1	linux-6.1 security update
EUVD	EUVD-2025-13044	In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix dangling pointer in krb_authenticate krb_authenticate frees sess->user and does not set the pointer to NULL. It calls ksmbd_krb5_authenticate to reinitialise sess->user but that function may return without doing so. If that happens then smb2_sess_setup, which calls krb_authenticate, will be accessing free'd memory when it later uses sess->user.
Ubuntu USN	USN-7594-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7594-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7594-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8028-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8028-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8031-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8028-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8028-4	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8028-5	Linux kernel vulnerabilities
Ubuntu USN	USN-8031-2	Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN	USN-8028-6	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-8031-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8052-1	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-8028-7	Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN	USN-8028-8	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-8052-2	Linux kernel (Xilinx) vulnerabilities
Ubuntu USN	USN-8074-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8074-2	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8126-1	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00077.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1db2451de23e98bc864c6a6e52aa0d82c91cb325
https://git.kernel.org/stable/c/1e440d5b25b7efccb3defe542a73c51005799a5f
https://git.kernel.org/stable/c/6e30c0e10210c714f3d4453dc258d4abcc70364e
https://git.kernel.org/stable/c/b61f04d5d73c53d183019bafe22fb700a739bac5
https://git.kernel.org/stable/c/d5b554bc8d554ed6ddf443d3db2fad9f665cec10
https://git.kernel.org/stable/c/e83e39a5f6a01a81411a4558a59a10f87aa88dd6
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
https://lore.kernel.org/linux-cve-announce/2025050116-CVE-2025-37778-7202@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-37778
https://www.cve.org/CVERecord?id=CVE-2025-37778

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/b61f04d5d73c53d183019bafe22fb700a739bac5

Fri, 13 Feb 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux Linux Linux linux Kernel
Weaknesses		CWE-416
CPEs		cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.15:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc2::::::
Vendors & Products		Debian Debian debian Linux Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Fri, 02 May 2025 14:45:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025050116-CVE-2025-37778-7202@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-37778 https://www.cve.org/CVERecord?id=CVE-2025-37778
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Thu, 01 May 2025 13:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix dangling pointer in krb_authenticate krb_authenticate frees sess->user and does not set the pointer to NULL. It calls ksmbd_krb5_authenticate to reinitialise sess->user but that function may return without doing so. If that happens then smb2_sess_setup, which calls krb_authenticate, will be accessing free'd memory when it later uses sess->user.
Title		ksmbd: Fix dangling pointer in krb_authenticate
References		https://git.kernel.org/stable/c/1db2451de23e98bc864c6a6e52aa0d82c91cb325 https://git.kernel.org/stable/c/1e440d5b25b7efccb3defe542a73c51005799a5f https://git.kernel.org/stable/c/6e30c0e10210c714f3d4453dc258d4abcc70364e https://git.kernel.org/stable/c/d5b554bc8d554ed6ddf443d3db2fad9f665cec10 https://git.kernel.org/stable/c/e83e39a5f6a01a81411a4558a59a10f87aa88dd6

Subscriptions

Debian Debian Linux

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-05-01T13:07:16.472Z

Updated: 2026-05-11T21:14:58.124Z

Reserved: 2025-04-16T04:51:23.940Z

Link: CVE-2025-37778

Vulnrichment

No data.

NVD

Status : Modified

Published: 2025-05-01T14:15:41.617

Modified: 2026-04-18T09:16:09.950

Link: CVE-2025-37778

Redhat

Severity : Moderate

Publid Date: 2025-05-01T00:00:00Z

Links: CVE-2025-37778 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object