CVE-2025-39838

EUVD-2025-30362

19.09.2025, 16:15

In the Linux kernel, the following vulnerability has been resolved:

cifs: prevent NULL pointer dereference in UTF16 conversion

There can be a NULL pointer dereference bug here. NULL is passed to
__cifs_sfu_make_node without checks, which passes it unchecked to
cifs_strndup_to_utf16, which in turn passes it to
cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash.

This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and
returns NULL early to prevent dereferencing NULL pointer.

Found by Linux Verification Center (linuxtesting.org) with SVACE

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.12 ≤ 𝑥 < 6.12.46
linux	linux_kernel	6.13 ≤ 𝑥 < 6.16.6
linux	linux_kernel	6.17:rc1
linux	linux_kernel	6.17:rc2
linux	linux_kernel	6.17:rc3
linux	linux_kernel	6.17:rc4
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.159-1 fixed
bookworm (security)	6.1.162-1 fixed
bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.249-1 fixed
forky	6.18.9-1 fixed
sid	6.18.12-1 fixed
trixie	6.12.63-1 fixed
trixie (security)	6.12.73-1 fixed

linux-6.1

bullseye (security)

6.1.162-1~deb11u1

fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/1f797f062b5cf13a1c2bcc23285361baaa7c9260

https://git.kernel.org/stable/c/3c26a8d30ed6b53a52a023ec537dc50a6d34a67a

https://git.kernel.org/stable/c/70bccd9855dae56942f2b18a08ba137bb54093a0

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html