CVE-2025-68295 in Linuxinfo

Summary

by MITRE • 12/16/2025

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix memory leak in cifs_construct_tcon()

When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed before leaving cifs_construct_tcon().

This fixes the following memory leak reported by kmemleak:

mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... su - testuser cifscreds add -d ZELDA -u testuser ... ls /mnt/1 ... umount /mnt echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak unreferenced object 0xffff8881203c3f08 (size 8): comm "ls", pid 5060, jiffies 4307222943 hex dump (first 8 bytes): 5a 45 4c 44 41 00 cc cc ZELDA... backtrace (crc d109a8cf): __kmalloc_node_track_caller_noprof+0x572/0x710 kstrdup+0x3a/0x70 cifs_sb_tlink+0x1209/0x1770 [cifs]
cifs_get_fattr+0xe1/0xf50 [cifs]
cifs_get_inode_info+0xb5/0x240 [cifs]
cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]
cifs_getattr+0x28e/0x450 [cifs]
vfs_getattr_nosec+0x126/0x180 vfs_statx+0xf6/0x220 do_statx+0xab/0x110 __x64_sys_statx+0xd5/0x130 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/24/2026

The vulnerability CVE-2025-68295 addresses a memory leak within the Linux kernel's CIFS (Common Internet File System) client implementation, specifically in the cifs_construct_tcon() function. This issue manifests when utilizing multiuser mounts with a domain parameter, creating a scenario where memory allocated for domain name context is not properly freed before function exit. The flaw occurs during the cifs_set_cifscreds() operation which assigns the domain name to ctx->domainname, leaving the memory unreleased when control flow exits cifs_construct_tcon(). This represents a classic memory management oversight that can lead to gradual resource exhaustion over time. The vulnerability is particularly relevant in environments where CIFS shares are frequently accessed through multiuser authentication mechanisms, making it a persistent concern for systems handling extensive file operations across network shares.

The technical root cause of this memory leak stems from improper resource cleanup within the CIFS client subsystem. When cifs_set_cifscreds() is invoked during credential management for multiuser mounts, it allocates memory for the domain name string but fails to ensure proper deallocation before the function returns. The kmemleak kernel debugging tool identified this specific memory block of 8 bytes that remains unreferenced after the mount operations complete. The memory address 0xffff8881203c3f08 contains the string "ZELDA" followed by padding bytes, confirming that the domain name was indeed allocated and subsequently leaked. This memory leak pattern follows the CWE-401 (Improper Release of Memory before Removing Last Reference) classification, which specifically addresses scenarios where dynamic memory allocations occur without corresponding deallocations. The backtrace demonstrates the leak originates from the kernel's memory allocation path through the cifs_sb_tlink function, which is part of the CIFS filesystem's mount resolution process, making it a core component of the file system's operational flow.

The operational impact of this vulnerability extends beyond simple memory consumption, potentially affecting system stability and performance over extended periods of operation. While each individual leak may be small, repeated operations involving multiuser CIFS mounts can accumulate memory pressure that eventually impacts system responsiveness and resource availability. The vulnerability is particularly concerning in server environments where multiple users frequently access CIFS shares with domain authentication, as it creates a gradual degradation of system resources. The memory leak can compound with other similar issues in the CIFS implementation, potentially leading to memory exhaustion scenarios that could cause system instability or denial of service conditions. This vulnerability operates at the kernel level and affects all Linux systems running with CIFS client functionality, making it a critical concern for enterprise environments where CIFS shares are extensively utilized.

Mitigation strategies for CVE-2025-68295 focus on ensuring proper memory management within the CIFS client implementation. The fix requires that ctx->domainname be freed before exiting cifs_construct_tcon() to prevent the memory leak from occurring. System administrators should ensure their kernel versions include the patched implementation, particularly in environments where multiuser CIFS mounts with domain specifications are common. Regular kernel updates and patch management procedures should be enforced to maintain protection against this vulnerability. Organizations utilizing CIFS shares should monitor system memory usage patterns for signs of gradual consumption that might indicate memory leak activity. The ATT&CK framework's T1070.004 technique for "File Deletion" and T1566.002 for "Phishing: Spearphishing Attachment" could be indirectly relevant in monitoring for malicious exploitation attempts that might leverage such memory vulnerabilities, though this particular CVE represents a benign memory management error rather than an exploit vector. System administrators should also consider implementing memory monitoring tools to detect and alert on unusual memory allocation patterns that could indicate similar memory management issues within the kernel's filesystem subsystem.

Responsible

Linux

Reservation

12/16/2025

Disclosure

12/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00179

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!