CVE-2025-38728 in Linux
Summary
by MITRE • 09/04/2025
In the Linux kernel, the following vulnerability has been resolved:
smb3: fix for slab out of bounds on mount to ksmbd
With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below):
BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs]
Read of size 4 at addr ffff8881433dba98 by task mount/9827
CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, BIOS 2.13.1 06/14/2019 Call Trace: <TASK> dump_stack_lvl+0x9f/0xf0 print_report+0xd1/0x670 __virt_addr_valid+0x22c/0x430 ? parse_server_interfaces+0x14ee/0x1880 [cifs]
? kasan_complete_mode_report_info+0x2a/0x1f0 ? parse_server_interfaces+0x14ee/0x1880 [cifs]
kasan_report+0xd6/0x110 parse_server_interfaces+0x14ee/0x1880 [cifs]
__asan_report_load_n_noabort+0x13/0x20 parse_server_interfaces+0x14ee/0x1880 [cifs]
? __pfx_parse_server_interfaces+0x10/0x10 [cifs]
? trace_hardirqs_on+0x51/0x60 SMB3_request_interfaces+0x1ad/0x3f0 [cifs]
? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]
? SMB2_tcon+0x23c/0x15d0 [cifs]
smb3_qfs_tcon+0x173/0x2b0 [cifs]
? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
? cifs_get_tcon+0x105d/0x2120 [cifs]
? do_raw_spin_unlock+0x5d/0x200 ? cifs_get_tcon+0x105d/0x2120 [cifs]
? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
cifs_mount_get_tcon+0x369/0xb90 [cifs]
? dfs_cache_find+0xe7/0x150 [cifs]
dfs_mount_share+0x985/0x2970 [cifs]
? check_path.constprop.0+0x28/0x50 ? save_trace+0x54/0x370 ? __pfx_dfs_mount_share+0x10/0x10 [cifs]
? __lock_acquire+0xb82/0x2ba0 ? __kasan_check_write+0x18/0x20 cifs_mount+0xbc/0x9e0 [cifs]
? __pfx_cifs_mount+0x10/0x10 [cifs]
? do_raw_spin_unlock+0x5d/0x200 ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]
cifs_smb3_do_mount+0x263/0x1990 [cifs]
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/10/2026
The vulnerability described in CVE-2025-38728 represents a critical slab out-of-bounds memory access issue within the Linux kernel's SMB3 implementation, specifically affecting the ksmbd server component. This flaw manifests when mounting SMB shares through the CIFS (Common Internet File System) kernel module with KASAN (Kernel Address Sanitizer) enabled, which is a memory error detection tool designed to catch memory corruption issues during kernel runtime. The vulnerability occurs during the parsing of server interfaces, indicating that the kernel fails to properly validate input data structures before accessing memory regions, leading to potential memory corruption and system instability. The reported stack trace shows the error originates from the parse_server_interfaces function within the cifs kernel module, where a read operation of size 4 occurs at address ffff8881433dba98, which lies outside the allocated slab memory boundaries, triggering a KASAN violation.
The technical nature of this vulnerability aligns with CWE-129, which describes improper validation of length of input buffers, and CWE-787, which covers out-of-bounds write operations. The flaw stems from missing input validation within the parse_server_interfaces function, which is responsible for processing network interface information during SMB3 mount operations. When KASAN is enabled, it detects the unauthorized memory access and generates a detailed report showing the exact location and nature of the violation. The error occurs during the SMB3_request_interfaces call sequence, which is part of the standard SMB3 protocol negotiation and connection establishment process. The vulnerability is particularly concerning because it can be triggered through normal SMB mount operations, making it exploitable by attackers who can initiate SMB connections to a vulnerable system. The kernel's memory management system fails to enforce proper bounds checking on the data structures used to store server interface information, allowing for a potential attacker to craft malicious SMB responses that could lead to arbitrary code execution or system crashes.
From an operational perspective, this vulnerability poses significant risks to systems running Linux kernels with ksmbd support and KASAN enabled. The impact extends beyond simple system crashes to potentially enable privilege escalation or denial of service attacks, especially in environments where SMB shares are frequently accessed or where automated mounting processes are in place. The vulnerability affects systems using the CIFS kernel module and specifically impacts the SMB3 protocol implementation, which is widely used in enterprise environments for file sharing and network access. The presence of KASAN in the error report indicates that this vulnerability was likely discovered during kernel development or testing phases where memory error detection was enabled, suggesting that the flaw exists in production code and could be exploited in real-world scenarios. The attack vector requires a remote SMB server to be compromised or a malicious actor to be able to initiate SMB connections to the vulnerable system, making it particularly dangerous in networked environments where SMB services are exposed to untrusted networks.
Mitigation strategies for this vulnerability should focus on immediate kernel updates to address the specific memory validation issue in the parse_server_interfaces function. System administrators should prioritize applying security patches from their kernel vendors or updating to kernel versions that include the fix for this specific slab out-of-bounds condition. In environments where kernel updates cannot be immediately applied, disabling KASAN or using alternative SMB implementations may reduce the risk, though this approach should be carefully evaluated as it may affect system security monitoring capabilities. Network-level mitigations such as restricting SMB access to trusted networks and implementing firewall rules to limit SMB port exposure can provide additional protection layers. The vulnerability also highlights the importance of proper input validation in kernel space code, particularly for functions that process network protocol data. Organizations should implement comprehensive monitoring for memory corruption events and ensure that kernel debugging features like KASAN are properly configured to detect similar issues. Security teams should also consider implementing network segmentation to limit the potential impact of exploitation and establish incident response procedures specifically for kernel-level memory corruption vulnerabilities. The ATT&CK framework classification for this vulnerability would include techniques related to privilege escalation and denial of service, as the memory corruption could potentially be leveraged to gain elevated privileges or disrupt system operations, making it a critical security concern for enterprise environments relying on SMB file sharing services.