{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T06:37:44.068","vulnerabilities":[{"cve":{"id":"CVE-2025-38523","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-16T12:15:27.667","lastModified":"2025-11-18T21:53:29.273","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix the smbd_response slab to allow usercopy\n\nThe handling of received data in the smbdirect client code involves using\ncopy_to_iter() to copy data from the smbd_reponse struct's packet trailer\nto a folioq buffer provided by netfslib that encapsulates a chunk of\npagecache.\n\nIf, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks\nthen performed in copy_to_iter() oopsing with something like the following:\n\n CIFS: Attempting to mount \/\/172.31.9.1\/test\n CIFS: VFS: RDMA transport established\n usercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)!\n ------------[ cut here ]------------\n kernel BUG at mm\/usercopy.c:102!\n ...\n RIP: 0010:usercopy_abort+0x6c\/0x80\n ...\n Call Trace:\n  <TASK>\n  __check_heap_object+0xe3\/0x120\n  __check_object_size+0x4dc\/0x6d0\n  smbd_recv+0x77f\/0xfe0 [cifs]\n  cifs_readv_from_socket+0x276\/0x8f0 [cifs]\n  cifs_read_from_socket+0xcd\/0x120 [cifs]\n  cifs_demultiplex_thread+0x7e9\/0x2d50 [cifs]\n  kthread+0x396\/0x830\n  ret_from_fork+0x2b8\/0x3b0\n  ret_from_fork_asm+0x1a\/0x30\n\nThe problem is that the smbd_response slab's packet field isn't marked as\nbeing permitted for usercopy.\n\nFix this by passing parameters to kmem_slab_create() to indicate that\ncopy_to_iter() is permitted from the packet region of the smbd_response\nslab objects, less the header space."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: Arreglar el slab smbd_response para permitir usercopy El manejo de los datos recibidos en el código del cliente smbdirect implica usar copy_to_iter() para copiar datos del tráiler de paquetes de la estructura smbd_reponse a un búfer folioq proporcionado por netfslib que encapsula un trozo de pagecache. Sin embargo, si CONFIG_HARDENED_USERCOPY=y, esto dará como resultado que las comprobaciones realizadas en copy_to_iter() generen un error similar a lo siguiente: CIFS: Intentando montar \/\/172.31.9.1\/test CIFS: VFS: Transporte RDMA establecido usercopy: ¡Intento de exposición de memoria del kernel detectado desde el objeto SLUB 'smbd_response_0000000091e24ea1' (desplazamiento 81, tamaño 63)!-----------[ cut here ]------------ kernel BUG at mm\/usercopy.c:102! ... RIP: 0010:usercopy_abort+0x6c\/0x80 ... Call Trace:  __check_heap_object+0xe3\/0x120 __check_object_size+0x4dc\/0x6d0 smbd_recv+0x77f\/0xfe0 [cifs] cifs_readv_from_socket+0x276\/0x8f0 [cifs] cifs_read_from_socket+0xcd\/0x120 [cifs] cifs_demultiplex_thread+0x7e9\/0x2d50 [cifs] kthread+0x396\/0x830 ret_from_fork+0x2b8\/0x3b0 ret_from_fork_asm+0x1a\/0x30 El problema es que la respuesta smbd_response El campo de paquete de slab no está marcado como permitido para copia de usuario. Se soluciona pasando parámetros a kmem_slab_create() para indicar que se permite copy_to_iter() desde la región de paquete de los objetos slab smbd_response, menos el espacio de encabezado."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-1188"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.36","matchCriteriaId":"64471BC5-89E0-43B3-8318-2D7EFF377CBD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.8","matchCriteriaId":"C7AFE5B0-F3B1-4D30-B8BF-EDA0385C4746"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*","matchCriteriaId":"6D4894DB-CCFE-4602-B1BF-3960B2E19A01"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*","matchCriteriaId":"09709862-E348-4378-8632-5A7813EDDC86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*","matchCriteriaId":"415BF58A-8197-43F5-B3D7-D1D63057A26E"}]}]}],"references":[{"url":"https:\/\/git.kernel.org\/stable\/c\/43e7e284fc77b710d899569360ea46fa3374ae22","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/87dcc7e33fc3dcb8ed32333cec016528b5bb6ce4","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/f0dd353d47f7051afa98c6c60c7486831eb1a410","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}