{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38523", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.023Z", "datePublished": "2025-08-16T11:12:17.254Z", "dateUpdated": "2025-08-16T11:12:17.254Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-16T11:12:17.254Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix the smbd_response slab to allow usercopy\n\nThe handling of received data in the smbdirect client code involves using\ncopy_to_iter() to copy data from the smbd_reponse struct's packet trailer\nto a folioq buffer provided by netfslib that encapsulates a chunk of\npagecache.\n\nIf, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks\nthen performed in copy_to_iter() oopsing with something like the following:\n\n CIFS: Attempting to mount //172.31.9.1/test\n CIFS: VFS: RDMA transport established\n usercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)!\n ------------[ cut here ]------------\n kernel BUG at mm/usercopy.c:102!\n ...\n RIP: 0010:usercopy_abort+0x6c/0x80\n ...\n Call Trace:\n <TASK>\n __check_heap_object+0xe3/0x120\n __check_object_size+0x4dc/0x6d0\n smbd_recv+0x77f/0xfe0 [cifs]\n cifs_readv_from_socket+0x276/0x8f0 [cifs]\n cifs_read_from_socket+0xcd/0x120 [cifs]\n cifs_demultiplex_thread+0x7e9/0x2d50 [cifs]\n kthread+0x396/0x830\n ret_from_fork+0x2b8/0x3b0\n ret_from_fork_asm+0x1a/0x30\n\nThe problem is that the smbd_response slab's packet field isn't marked as\nbeing permitted for usercopy.\n\nFix this by passing parameters to kmem_slab_create() to indicate that\ncopy_to_iter() is permitted from the packet region of the smbd_response\nslab objects, less the header space."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/smbdirect.c"], "versions": [{"version": "ee4cdf7ba857a894ad1650d6ab77669cbbfa329e", "lessThan": "87dcc7e33fc3dcb8ed32333cec016528b5bb6ce4", "status": "affected", "versionType": "git"}, {"version": "ee4cdf7ba857a894ad1650d6ab77669cbbfa329e", "lessThan": "f0dd353d47f7051afa98c6c60c7486831eb1a410", "status": "affected", "versionType": "git"}, {"version": "ee4cdf7ba857a894ad1650d6ab77669cbbfa329e", "lessThan": "43e7e284fc77b710d899569360ea46fa3374ae22", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/smbdirect.c"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.36", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.8", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.15.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/87dcc7e33fc3dcb8ed32333cec016528b5bb6ce4"}, {"url": "https://git.kernel.org/stable/c/f0dd353d47f7051afa98c6c60c7486831eb1a410"}, {"url": "https://git.kernel.org/stable/c/43e7e284fc77b710d899569360ea46fa3374ae22"}], "title": "cifs: Fix the smbd_response slab to allow usercopy", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "64471BC5-89E0-43B3-8318-2D7EFF377CBD", "versionEndExcluding": "6.12.36", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7AFE5B0-F3B1-4D30-B8BF-EDA0385C4746", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*", "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*", "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*", "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix the smbd_response slab to allow usercopy\n\nThe handling of received data in the smbdirect client code involves using\ncopy_to_iter() to copy data from the smbd_reponse struct's packet trailer\nto a folioq buffer provided by netfslib that encapsulates a chunk of\npagecache.\n\nIf, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks\nthen performed in copy_to_iter() oopsing with something like the following:\n\n CIFS: Attempting to mount //172.31.9.1/test\n CIFS: VFS: RDMA transport established\n usercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)!\n ------------[ cut here ]------------\n kernel BUG at mm/usercopy.c:102!\n ...\n RIP: 0010:usercopy_abort+0x6c/0x80\n ...\n Call Trace:\n <TASK>\n __check_heap_object+0xe3/0x120\n __check_object_size+0x4dc/0x6d0\n smbd_recv+0x77f/0xfe0 [cifs]\n cifs_readv_from_socket+0x276/0x8f0 [cifs]\n cifs_read_from_socket+0xcd/0x120 [cifs]\n cifs_demultiplex_thread+0x7e9/0x2d50 [cifs]\n kthread+0x396/0x830\n ret_from_fork+0x2b8/0x3b0\n ret_from_fork_asm+0x1a/0x30\n\nThe problem is that the smbd_response slab's packet field isn't marked as\nbeing permitted for usercopy.\n\nFix this by passing parameters to kmem_slab_create() to indicate that\ncopy_to_iter() is permitted from the packet region of the smbd_response\nslab objects, less the header space."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: Arreglar el slab smbd_response para permitir usercopy El manejo de los datos recibidos en el c\u00f3digo del cliente smbdirect implica usar copy_to_iter() para copiar datos del tr\u00e1iler de paquetes de la estructura smbd_reponse a un b\u00fafer folioq proporcionado por netfslib que encapsula un trozo de pagecache. Sin embargo, si CONFIG_HARDENED_USERCOPY=y, esto dar\u00e1 como resultado que las comprobaciones realizadas en copy_to_iter() generen un error similar a lo siguiente: CIFS: Intentando montar //172.31.9.1/test CIFS: VFS: Transporte RDMA establecido usercopy: \u00a1Intento de exposici\u00f3n de memoria del kernel detectado desde el objeto SLUB 'smbd_response_0000000091e24ea1' (desplazamiento 81, tama\u00f1o 63)!-----------[ cut here ]------------ kernel BUG at mm/usercopy.c:102! ... RIP: 0010:usercopy_abort+0x6c/0x80 ... Call Trace: __check_heap_object+0xe3/0x120 __check_object_size+0x4dc/0x6d0 smbd_recv+0x77f/0xfe0 [cifs] cifs_readv_from_socket+0x276/0x8f0 [cifs] cifs_read_from_socket+0xcd/0x120 [cifs] cifs_demultiplex_thread+0x7e9/0x2d50 [cifs] kthread+0x396/0x830 ret_from_fork+0x2b8/0x3b0 ret_from_fork_asm+0x1a/0x30 El problema es que la respuesta smbd_response El campo de paquete de slab no est\u00e1 marcado como permitido para copia de usuario. Se soluciona pasando par\u00e1metros a kmem_slab_create() para indicar que se permite copy_to_iter() desde la regi\u00f3n de paquete de los objetos slab smbd_response, menos el espacio de encabezado."}], "id": "CVE-2025-38523", "lastModified": "2025-11-18T21:53:29.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-08-16T12:15:27.667", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/43e7e284fc77b710d899569360ea46fa3374ae22"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/87dcc7e33fc3dcb8ed32333cec016528b5bb6ce4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f0dd353d47f7051afa98c6c60c7486831eb1a410"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: cifs: Fix the smbd_response slab to allow usercopy", "id": "2388948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388948"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ncifs: Fix the smbd_response slab to allow usercopy\nThe handling of received data in the smbdirect client code involves using\ncopy_to_iter() to copy data from the smbd_reponse struct's packet trailer\nto a folioq buffer provided by netfslib that encapsulates a chunk of\npagecache.\nIf, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks\nthen performed in copy_to_iter() oopsing with something like the following:\nCIFS: Attempting to mount //172.31.9.1/test\nCIFS: VFS: RDMA transport established\nusercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)!\n------------[ cut here ]------------\nkernel BUG at mm/usercopy.c:102!\n...\nRIP: 0010:usercopy_abort+0x6c/0x80\n...\nCall Trace:\n<TASK>\n__check_heap_object+0xe3/0x120\n__check_object_size+0x4dc/0x6d0\nsmbd_recv+0x77f/0xfe0 [cifs]\ncifs_readv_from_socket+0x276/0x8f0 [cifs]\ncifs_read_from_socket+0xcd/0x120 [cifs]\ncifs_demultiplex_thread+0x7e9/0x2d50 [cifs]\nkthread+0x396/0x830\nret_from_fork+0x2b8/0x3b0\nret_from_fork_asm+0x1a/0x30\nThe problem is that the smbd_response slab's packet field isn't marked as\nbeing permitted for usercopy.\nFix this by passing parameters to kmem_slab_create() to indicate that\ncopy_to_iter() is permitted from the packet region of the smbd_response\nslab objects, less the header space."], "name": "CVE-2025-38523", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38523\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38523\nhttps://lore.kernel.org/linux-cve-announce/2025081652-CVE-2025-38523-b126@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-08-18T20:50:01.481727+00:00", "updated": "2025-08-18T20:50:01.481793+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}