CVE-2025-40328 in Linux
Summary
by MITRE • 12/09/2025
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential UAF in smb2_close_cached_fid()
find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free.
Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/30/2026
This vulnerability exists within the Linux kernel's SMB client implementation, specifically in the smb2_close_cached_fid() function where a use-after-free condition can occur due to improper reference counting mechanisms. The flaw manifests when the find_or_create_cached_dir() function attempts to acquire a new reference to a cached file identifier after kref_put() has already decremented the reference count to zero but before the cfid_list_lock is acquired. This race condition creates a window where a freed memory location can be accessed, potentially leading to system instability or arbitrary code execution. The vulnerability is classified as a use-after-free condition which aligns with CWE-416 and represents a critical memory safety issue in kernel space operations.
The technical implementation of this vulnerability stems from the improper handling of reference counting in the SMB client subsystem. When kref_put() executes, it decrements the reference count and may trigger the release of resources if the count reaches zero, but the subsequent acquisition of cfid_list_lock occurs after this process has completed. This timing gap allows another thread or process to potentially grab a reference to the same resource, creating a scenario where the memory location is freed but still accessed. The vulnerability specifically affects the smb2_close_cached_fid() function which manages cached file identifiers for SMB2 protocol operations, making it particularly dangerous in network file sharing environments where multiple concurrent operations are common.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling privilege escalation or denial of service attacks in environments utilizing SMB file sharing protocols. Attackers could exploit this race condition to cause system instability or potentially execute arbitrary code with kernel privileges, given that the vulnerability occurs within kernel space memory management. The vulnerability affects systems running Linux kernels that implement SMB client functionality, particularly those handling multiple concurrent SMB operations or caching file identifiers. Organizations using SMB file servers, network attached storage systems, or any environment where SMB protocol operations are prevalent would be at risk from this vulnerability.
The mitigation strategy involves implementing kref_put_lock() instead of the standard kref_put() to ensure that cfid_release() is called while maintaining the cfid_list_lock, thereby eliminating the race condition window. This approach aligns with established kernel security practices and follows the principle of holding locks during critical reference counting operations. System administrators should prioritize applying kernel updates that contain this fix, particularly in environments where SMB client functionality is actively used. The fix addresses the root cause by ensuring atomicity between reference count manipulation and lock acquisition, preventing the scenario where a freed resource can be accessed by another thread. Additionally, monitoring for unusual system behavior or crashes in SMB client operations should be implemented as part of defensive measures while awaiting patch deployment. This vulnerability demonstrates the importance of proper synchronization mechanisms in kernel memory management and highlights the critical nature of race condition prevention in security-sensitive code paths.