CVE-2025-37750

EUVD-2025-13072
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix UAF in decryption with multichannel

After commit f7025d861694 ("smb: client: allocate crypto only for
primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in
async decryption"), the channels started reusing AEAD TFM from primary
channel to perform synchronous decryption, but that can't done as
there could be multiple cifsd threads (one per channel) simultaneously
accessing it to perform decryption.

This fixes the following KASAN splat when running fstest generic/249
with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows
Server 2022:

BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110
Read of size 8 at addr ffff8881046c18a0 by task cifsd/986
CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1
PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41
04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x5d/0x80
 print_report+0x156/0x528
 ? gf128mul_4k_lle+0xba/0x110
 ? __virt_addr_valid+0x145/0x300
 ? __phys_addr+0x46/0x90
 ? gf128mul_4k_lle+0xba/0x110
 kasan_report+0xdf/0x1a0
 ? gf128mul_4k_lle+0xba/0x110
 gf128mul_4k_lle+0xba/0x110
 ghash_update+0x189/0x210
 shash_ahash_update+0x295/0x370
 ? __pfx_shash_ahash_update+0x10/0x10
 ? __pfx_shash_ahash_update+0x10/0x10
 ? __pfx_extract_iter_to_sg+0x10/0x10
 ? ___kmalloc_large_node+0x10e/0x180
 ? __asan_memset+0x23/0x50
 crypto_ahash_update+0x3c/0xc0
 gcm_hash_assoc_remain_continue+0x93/0xc0
 crypt_message+0xe09/0xec0 [cifs]
 ? __pfx_crypt_message+0x10/0x10 [cifs]
 ? _raw_spin_unlock+0x23/0x40
 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]
 decrypt_raw_data+0x229/0x380 [cifs]
 ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
 ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs]
 smb3_receive_transform+0x837/0xc80 [cifs]
 ? __pfx_smb3_receive_transform+0x10/0x10 [cifs]
 ? __pfx___might_resched+0x10/0x10
 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs]
 cifs_demultiplex_thread+0x692/0x1570 [cifs]
 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
 ? rcu_is_watching+0x20/0x50
 ? rcu_lockdep_current_cpu_online+0x62/0xb0
 ? find_held_lock+0x32/0x90
 ? kvm_sched_clock_read+0x11/0x20
 ? local_clock_noinstr+0xd/0xd0
 ? trace_irq_enable.constprop.0+0xa8/0xe0
 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
 kthread+0x1fe/0x380
 ? kthread+0x10f/0x380
 ? __pfx_kthread+0x10/0x10
 ? local_clock_noinstr+0xd/0xd0
 ? ret_from_fork+0x1b/0x60
 ? local_clock+0x15/0x30
 ? lock_release+0x29b/0x390
 ? rcu_is_watching+0x20/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x31/0x60
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
 </TASK>
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.10.237 ≤
𝑥
< 5.11
linuxlinux_kernel
5.15.181 ≤
𝑥
< 5.16
linuxlinux_kernel
6.1.128 ≤
𝑥
< 6.2
linuxlinux_kernel
6.6.57 ≤
𝑥
< 6.7
linuxlinux_kernel
6.11.4 ≤
𝑥
< 6.12.24
linuxlinux_kernel
6.13 ≤
𝑥
< 6.13.12
linuxlinux_kernel
6.14 ≤
𝑥
< 6.14.3
linuxlinux_kernel
6.15:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.257-1
fixed
forky
7.0.10-1
fixed
sid
7.0.10-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.90-2
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
kernel-64kb
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.40.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.40.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-default
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-default-base
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1.150600.12.24.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1.150600.12.24.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1.150600.12.24.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
kernel-docs
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-macros
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-source
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-source-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.40.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.40.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-syms
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-syms-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.40.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.40.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.53.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
kernel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-debug
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-debug-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-debug-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-debug-devel-matched
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-debug-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-debug-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-debug-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-devel-matched
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-64k-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-abi-stablelists
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-debug
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-debug-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-debug-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-debug-devel-matched
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-debug-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-debug-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-debug-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-debug-uki-virt
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-devel-matched
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-doc
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-debug
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-debug-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-debug-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-debug-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-debug-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-debug-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-64k-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-debug
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-debug-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-debug-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-debug-kvm
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-debug-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-debug-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-debug-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-kvm
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-rt-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-tools
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-tools-libs
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-tools-libs-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-uki-virt
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-uki-virt-addons
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-zfcpdump
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-zfcpdump-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-zfcpdump-devel
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-zfcpdump-devel-matched
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-zfcpdump-modules
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-zfcpdump-modules-core
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kernel-zfcpdump-modules-extra
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
kpatch-patch-5
RHEL 9
0:1-2.el9_6
fixed
libperf
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
perf
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
python3-perf
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
rtla
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
rv
RHEL 9
0:5.14.0-570.22.1.el9_6
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/9502dd5c7029902f4a425bf959917a5a9e7c0e50
https://git.kernel.org/stable/c/950557922c1298464749c216d8763e97faf5d0a6
https://git.kernel.org/stable/c/aa5a1e4b882964eb79d5b5d1d1e8a1a5efbb1d15
https://git.kernel.org/stable/c/e859b216d94668bc66330e61be201234f4413d1a