CVE-2025-40328

Linux Kernel 6.1.0-6.6.116, 6.7.0-6.12.57, 6.13.0-6.17.7 - Use-After-Free in SMB Client Cached Directory Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.

References (4)

Core 4

Core References

Patch

https://git.kernel.org/stable/c/cb52d9c86d70298de0ab7c7953653898cbc0efd6

Patch

https://git.kernel.org/stable/c/065bd62412271a2d734810dd50336cae88c54427

Patch

https://git.kernel.org/stable/c/bdb596ceb4b7c3f28786a33840263728217fbcf5

Patch

https://git.kernel.org/stable/c/734e99623c5b65bf2c03e35978a0b980ebc3c2f8

Scores

EPSS 0.0004

EPSS Percentile 11.2%

Details

Status published

Products (13)

linux/Kernel 6.1.0 - 6.6.117linux

linux/Kernel 6.13.0 - 6.17.8linux

linux/Kernel 6.7.0 - 6.12.58linux

Linux/Linux < 6.1

Linux/Linux 6.1

Linux/Linux 6.12.58 - 6.12.*

Linux/Linux 6.17.8 - 6.17.*

Linux/Linux 6.18

Linux/Linux 6.6.117 - 6.6.*

Linux/Linux ebe98f1447bbccf8228335c62d86af02a0ed23f7 - 065bd62412271a2d734810dd50336cae88c54427

... and 3 more

Published Dec 09, 2025

Tracked Since Feb 18, 2026