{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T14:29:47.089","vulnerabilities":[{"cve":{"id":"CVE-2025-38527","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-08-16T12:15:28.183","lastModified":"2026-01-07T17:38:48.213","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n cifs_oplock_break()\n _cifsFileInfo_put(cfile)\n cifsFileInfo_put_final()\n cifs_sb_deactive()\n [last ref, start releasing sb]\n kill_sb()\n kill_anon_super()\n generic_shutdown_super()\n evict_inodes()\n dispose_list()\n evict()\n destroy_inode()\n call_rcu(&inode->i_rcu, i_callback)\n spin_lock(&cinode->open_file_lock) <- OK\n [later] i_callback()\n cifs_free_inode()\n kmem_cache_free(cinode)\n spin_unlock(&cinode->open_file_lock) <- UAF\n cifs_done_oplock_break(cinode) <- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrección duse after free en cifs_oplock_break. Puede producirse una condición de ejecución en cifs_oplock_break() que provoca un use after free de la estructura cinode al desmontar: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [última referencia, iniciar la liberación de sb] kill_sb() kill_anon_super() generic_shutdown_super() evict_inodes() dispose_list() evict() destroy_inode() call_rcu(&inode->i_rcu, i_callback) spin_lock(&cinode->open_file_lock) <- OK [más tarde] i_callback() cifs_free_inode() kmem_cache_free(cinode) spin_unlock(&cinode->open_file_lock) <- UAF cifs_done_oplock_break(cinode) <- UAF El problema ocurre cuando umount ya ha liberado su referencia al superbloque. Cuando _cifsFileInfo_put() llama a cifs_sb_deactive(), se libera la última referencia, lo que desencadena la limpieza inmediata de todos los inodos bajo RCU. Sin embargo, cifs_oplock_break() continúa accediendo al cinode después de este punto, lo que resulta en un use after free. Para solucionar esto, mantenga una referencia adicional al superbloque durante toda la operación de ruptura del oplock. Esto garantiza que el superbloque y sus inodos sigan siendo válidos hasta que se complete la ruptura del oplock."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.16.72","versionEndExcluding":"3.17","matchCriteriaId":"1ED01FFA-151C-4240-A234-6FEB9BAD08A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.171","versionEndExcluding":"4.10","matchCriteriaId":"1638DAE4-6580-4DE9-A2E4-E3F5A4C44F56"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.114","versionEndExcluding":"4.15","matchCriteriaId":"34B2FC78-6012-4CCB-9F23-9F3EBC1E9463"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.37","versionEndExcluding":"4.20","matchCriteriaId":"84DD5BD5-6192-400A-861A-177194C762B3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.10","versionEndExcluding":"5.1","matchCriteriaId":"CB9573B4-2670-4E51-BD98-77B010DD43B7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1.1","versionEndExcluding":"5.15.190","matchCriteriaId":"4CBC473A-889D-48AC-8327-7A8551247196"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.147","matchCriteriaId":"A4FD62FC-0DAE-4ACE-8C9C-66156518C3E1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.100","matchCriteriaId":"094B81E0-B756-4727-85CA-F3F8D1C9D116"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.40","matchCriteriaId":"0099D5A4-B157-4D36-8858-982C7D579030"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.15.8","matchCriteriaId":"C7AFE5B0-F3B1-4D30-B8BF-EDA0385C4746"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.1:-:*:*:*:*:*:*","matchCriteriaId":"D89FA266-EDB9-412A-B18E-1B5A0FCC3C0D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.1:rc6:*:*:*:*:*:*","matchCriteriaId":"9CC18FCC-3F69-4A7E-9F29-4C4504E83B4D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.1:rc7:*:*:*:*:*:*","matchCriteriaId":"12A5D914-5CEB-4D3F-A903-6F1FAD82A125"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*","matchCriteriaId":"6D4894DB-CCFE-4602-B1BF-3960B2E19A01"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*","matchCriteriaId":"09709862-E348-4378-8632-5A7813EDDC86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*","matchCriteriaId":"415BF58A-8197-43F5-B3D7-D1D63057A26E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*","matchCriteriaId":"A0517869-312D-4429-80C2-561086E1421C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*","matchCriteriaId":"85421F4E-C863-4ABF-B4B4-E887CC2F7F92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*","matchCriteriaId":"3827F0D4-5FEE-4181-B267-5A45E7CA11FC"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}