CVE-2025-37750 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix UAF in decryption with multichannel

After commit f7025d861694 ("smb: client: allocate crypto only for primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in async decryption"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption.

This fixes the following KASAN splat when running fstest generic/249 with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows Server 2022:

BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110 Read of size 8 at addr ffff8881046c18a0 by task cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 print_report+0x156/0x528 ? gf128mul_4k_lle+0xba/0x110 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? gf128mul_4k_lle+0xba/0x110 kasan_report+0xdf/0x1a0 ? gf128mul_4k_lle+0xba/0x110 gf128mul_4k_lle+0xba/0x110 ghash_update+0x189/0x210 shash_ahash_update+0x295/0x370 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_extract_iter_to_sg+0x10/0x10 ? ___kmalloc_large_node+0x10e/0x180 ? __asan_memset+0x23/0x50 crypto_ahash_update+0x3c/0xc0 gcm_hash_assoc_remain_continue+0x93/0xc0 crypt_message+0xe09/0xec0 [cifs]
? __pfx_crypt_message+0x10/0x10 [cifs]
? _raw_spin_unlock+0x23/0x40 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]
decrypt_raw_data+0x229/0x380 [cifs]
? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs]
smb3_receive_transform+0x837/0xc80 [cifs]
? __pfx_smb3_receive_transform+0x10/0x10 [cifs]
? __pfx___might_resched+0x10/0x10 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs]
cifs_demultiplex_thread+0x692/0x1570 [cifs]
? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
? rcu_is_watching+0x20/0x50 ? rcu_lockdep_current_cpu_online+0x62/0xb0 ? find_held_lock+0x32/0x90 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xd/0xd0 ? trace_irq_enable.constprop.0+0xa8/0xe0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x60 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/15/2026

The vulnerability CVE-2025-37750 resides within the Linux kernel's Server Message Block (SMB) client implementation, specifically affecting the handling of cryptographic operations during multichannel SMB sessions. This issue manifests as a use-after-free (UAF) condition that occurs when multiple threads attempt to access shared AEAD (Authenticated Encryption with Associated Data) TFM (Transformation) structures simultaneously during synchronous decryption operations. The flaw was introduced following two previous commits that attempted to optimize crypto resource allocation by reusing primary channel AEAD TFM for secondary channels, which inadvertently created a race condition in multithreaded environments.

The technical root cause stems from improper synchronization mechanisms when multiple cifsd threads access the same cryptographic context concurrently. When the system operates with multichannel SMB settings, particularly with parameters like 'vers=3.1.1,multichannel,max_channels=4,seal', each channel spawns its own thread to perform decryption tasks. The previous optimization assumed that AEAD TFM structures could be safely shared among threads, but this assumption proved incorrect as multiple threads could simultaneously attempt to use and potentially free the same memory structures. This leads to a classic use-after-free scenario where one thread frees a memory region while another thread attempts to access it, resulting in memory corruption and potential system instability.

The operational impact of this vulnerability extends beyond simple system crashes, as it can lead to arbitrary code execution or privilege escalation within the kernel space. The KASAN (Kernel Address Sanitizer) report demonstrates that the issue manifests during cryptographic operations, specifically in the gf128mul_4k_lle function which is part of the GHASH implementation used in GCM (Galois/Counter Mode) encryption. The call trace shows the problem originating from the cifs module's decrypt_raw_data function, which attempts to perform cryptographic operations on data received through smb3_receive_transform, ultimately leading to a memory access violation when trying to use freed memory in the ghash_update function. This vulnerability is particularly concerning in enterprise environments where SMB multichannel is actively used for performance optimization, as it can be exploited to compromise the integrity and confidentiality of network communications.

Mitigation strategies for this vulnerability involve implementing proper synchronization mechanisms to prevent concurrent access to shared AEAD TFM structures during decryption operations. The fix requires ensuring that each channel maintains its own independent cryptographic context rather than sharing the primary channel's resources, which aligns with the principle of least privilege and proper resource isolation. Additionally, system administrators should consider disabling multichannel SMB functionality in environments where the risk of exploitation is high, or ensure that all systems are updated with the patched kernel version that resolves this specific UAF condition. The vulnerability can be addressed through proper memory management practices and adherence to secure coding principles that prevent race conditions in concurrent environments, which is consistent with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and ATT&CK technique T1059.008 (Command and Scripting Interpreter: PowerShell) where such vulnerabilities can be leveraged to execute malicious code. Organizations should also implement monitoring solutions to detect anomalous behavior patterns that may indicate exploitation attempts, particularly in environments with active SMB multichannel configurations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00158

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!