CVE-2025-38711 in Linuxinfo

Summary

by MITRE • 09/04/2025

In the Linux kernel, the following vulnerability has been resolved:

smb/server: avoid deadlock when linking with ReplaceIfExists

If smb2_create_link() is called with ReplaceIfExists set and the name does exist then a deadlock will happen.

ksmbd_vfs_kern_path_locked() will return with success and the parent directory will be locked. ksmbd_vfs_remove_file() will then remove the file. ksmbd_vfs_link() will then be called while the parent is still locked. It will try to lock the same parent and will deadlock.

This patch moves the ksmbd_vfs_kern_path_unlock() call to *before* ksmbd_vfs_link() and then simplifies the code, removing the file_present flag variable.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/10/2026

The vulnerability identified as CVE-2025-38711 represents a critical deadlock condition within the Linux kernel's smb server implementation, specifically affecting the ksmbd subsystem that handles server message block protocol operations. This flaw manifests when the smb2_create_link() function processes requests with the ReplaceIfExists flag enabled, creating a scenario where concurrent access to shared resources results in system-wide停滞. The vulnerability operates at the intersection of file system operations and kernel-level synchronization mechanisms, demonstrating how seemingly routine file linking operations can escalate into system-critical failures.

The technical root cause of this vulnerability lies in the improper ordering of resource management operations within the smb server's file linking logic. When a file link operation is initiated with ReplaceIfExists set, the ksmbd_vfs_kern_path_locked() function successfully resolves the path and acquires a lock on the parent directory. Subsequently, ksmbd_vfs_remove_file() executes to delete the existing file, but the subsequent call to ksmbd_vfs_link() occurs while the parent directory remains locked. This creates a classic deadlock scenario where the link operation attempts to reacquire the same lock it already holds, resulting in indefinite waiting and system resource exhaustion. The vulnerability specifically manifests as a circular dependency between locking operations, with the parent directory lock being held across multiple function calls without proper release.

From an operational impact perspective, this vulnerability presents a severe threat to systems running smb server implementations, particularly those handling concurrent file operations or serving as file servers in enterprise environments. The deadlock condition can result in complete system unresponsiveness, requiring manual intervention or system reboot to restore functionality. Attackers could potentially exploit this vulnerability through crafted smb requests that trigger the specific code path, leading to denial of service conditions that could disrupt critical business operations. The vulnerability affects systems where ksmbd is actively managing file links with replacement semantics, making it particularly dangerous in environments with high file I/O activity or automated file management processes.

The mitigation strategy for CVE-2025-38711 involves implementing the patch that reorders the resource management operations to prevent the lock contention scenario. The solution moves the ksmbd_vfs_kern_path_unlock() call to occur before ksmbd_vfs_link() execution, effectively breaking the circular dependency that causes the deadlock. This approach aligns with established best practices for lock ordering and resource management in kernel space, where locks should be released before invoking operations that might require the same locks. The patch also simplifies the code by eliminating the file_present flag variable, reducing complexity and potential for similar issues in the future. This fix directly addresses the CWE-362 weakness category related to race conditions and improper locking mechanisms, while also aligning with ATT&CK technique T1499.004 for endpoint denial of service through resource exhaustion. Organizations should prioritize applying this patch to systems running affected kernel versions to prevent potential exploitation and maintain system stability in smb server environments.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/04/2025

Moderation

accepted

CPE

ready

EPSS

0.00111

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!