CVE-2024-53185: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix NULL ptr deref in crypto_aead_setkey() Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02. Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well. mount.cifs //srv/share /mnt -o vers=3.02,seal,... BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compound_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? do_raw_spin_unlock+0x9a/0xf0 cifs_send_recv+0x23/0x30 [cifs] SMB2_tcon+0x3ec/0xb30 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_trylock+0xc6/0x120 ? lock_acquire+0x3f/0x90 ? _get_xid+0x16/0xd0 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? lock_release+0x203/0x5d0 cifs_mount+0xb3/0x3d0 [cifs] ? do_raw_spin_trylock+0xc6/0x120 ? __pfx_cifs_mount+0x10/0x10 [cifs] ? lock_acquire+0x3f/0x90 ? find_nls+0x16/0xa0 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs] cifs_smb3_do_mount+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI Analysis
Technical Summary
CVE-2024-53185 is a high-severity vulnerability in the Linux kernel's SMB client implementation, specifically affecting the handling of encryption contexts in SMB version 3.02. The flaw arises from improper initialization of the @server->cipher_type field when negotiating SMB3.02 connections. SMB3.0 and SMB3.02 do not support the encryption negotiate context, so when the SMB2_GLOBAL_CAP_ENCRYPTION flag is set, the client defaults to AES-128-CCM for encryption. However, a recent patch intended to fix a use-after-free (UAF) vulnerability introduced a conditional check on @server->cipher_type before calling smb3_crypto_aead_allocate(). Because @server->cipher_type was not set for SMB3.02, this check always failed, leading to a NULL pointer dereference in crypto_aead_setkey(). This results in a kernel crash (KASAN splat) when mounting CIFS shares with SMB3.02 and encryption enabled, causing a denial of service. The vulnerability is triggered locally by mounting a CIFS share with specific options (e.g., vers=3.02,seal). The kernel stack trace shows the NULL pointer dereference occurs during cryptographic key setup for SMB3 encrypted communication. The flaw is categorized under CWE-416 (Use After Free), indicating memory safety issues. The CVSS v3.1 score is 7.8 (high), reflecting local attack vector with low complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The issue affects multiple Linux kernel versions prior to the fix, and the patch involves properly setting the cipher_type for SMB3.02 to avoid the NULL dereference.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems using Linux clients to mount SMB shares with SMB3.02 protocol and encryption enabled. The impact includes potential denial of service due to kernel crashes, which can disrupt access to critical file shares and network resources. This can affect enterprise environments relying on CIFS mounts for file sharing, backup, or application data access. Confidentiality and integrity could also be impacted if attackers exploit the flaw to manipulate cryptographic operations, although the primary demonstrated impact is availability loss. Organizations with Linux-based infrastructure, especially those using SMB for interoperability with Windows servers or NAS devices, are at risk. The vulnerability requires local privileges to exploit, so insider threats or compromised accounts could trigger it. Given the widespread use of Linux in European data centers, cloud environments, and industrial systems, the disruption potential is notable. Additionally, sectors with high dependency on file sharing and encrypted SMB traffic, such as finance, manufacturing, and government, may experience operational interruptions. The lack of known exploits reduces immediate threat but patching is critical to prevent future exploitation and maintain service continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix CVE-2024-53185 as soon as they become available from trusted sources or distribution vendors. 2. Temporarily avoid mounting SMB shares using SMB3.02 with encryption enabled; consider downgrading to SMB3.0 or disabling encryption if operationally feasible until patched. 3. Monitor kernel logs and system stability for signs of crashes related to CIFS mounts and investigate promptly. 4. Restrict local user privileges to prevent unauthorized mounting of SMB shares, limiting exposure to the vulnerability. 5. Employ kernel hardening and memory safety tools such as KASAN in testing environments to detect similar issues proactively. 6. For critical systems, consider isolating Linux clients that require SMB mounts or using alternative secure file sharing protocols until patched. 7. Maintain up-to-date backups and recovery procedures to mitigate impact from potential denial of service incidents. 8. Coordinate with Linux distribution maintainers and infrastructure teams to ensure timely deployment of fixes and configuration updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-53185: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix NULL ptr deref in crypto_aead_setkey() Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02. Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well. mount.cifs //srv/share /mnt -o vers=3.02,seal,... BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compound_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? do_raw_spin_unlock+0x9a/0xf0 cifs_send_recv+0x23/0x30 [cifs] SMB2_tcon+0x3ec/0xb30 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_trylock+0xc6/0x120 ? lock_acquire+0x3f/0x90 ? _get_xid+0x16/0xd0 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? lock_release+0x203/0x5d0 cifs_mount+0xb3/0x3d0 [cifs] ? do_raw_spin_trylock+0xc6/0x120 ? __pfx_cifs_mount+0x10/0x10 [cifs] ? lock_acquire+0x3f/0x90 ? find_nls+0x16/0xa0 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs] cifs_smb3_do_mount+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
AI-Powered Analysis
Technical Analysis
CVE-2024-53185 is a high-severity vulnerability in the Linux kernel's SMB client implementation, specifically affecting the handling of encryption contexts in SMB version 3.02. The flaw arises from improper initialization of the @server->cipher_type field when negotiating SMB3.02 connections. SMB3.0 and SMB3.02 do not support the encryption negotiate context, so when the SMB2_GLOBAL_CAP_ENCRYPTION flag is set, the client defaults to AES-128-CCM for encryption. However, a recent patch intended to fix a use-after-free (UAF) vulnerability introduced a conditional check on @server->cipher_type before calling smb3_crypto_aead_allocate(). Because @server->cipher_type was not set for SMB3.02, this check always failed, leading to a NULL pointer dereference in crypto_aead_setkey(). This results in a kernel crash (KASAN splat) when mounting CIFS shares with SMB3.02 and encryption enabled, causing a denial of service. The vulnerability is triggered locally by mounting a CIFS share with specific options (e.g., vers=3.02,seal). The kernel stack trace shows the NULL pointer dereference occurs during cryptographic key setup for SMB3 encrypted communication. The flaw is categorized under CWE-416 (Use After Free), indicating memory safety issues. The CVSS v3.1 score is 7.8 (high), reflecting local attack vector with low complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The issue affects multiple Linux kernel versions prior to the fix, and the patch involves properly setting the cipher_type for SMB3.02 to avoid the NULL dereference.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems using Linux clients to mount SMB shares with SMB3.02 protocol and encryption enabled. The impact includes potential denial of service due to kernel crashes, which can disrupt access to critical file shares and network resources. This can affect enterprise environments relying on CIFS mounts for file sharing, backup, or application data access. Confidentiality and integrity could also be impacted if attackers exploit the flaw to manipulate cryptographic operations, although the primary demonstrated impact is availability loss. Organizations with Linux-based infrastructure, especially those using SMB for interoperability with Windows servers or NAS devices, are at risk. The vulnerability requires local privileges to exploit, so insider threats or compromised accounts could trigger it. Given the widespread use of Linux in European data centers, cloud environments, and industrial systems, the disruption potential is notable. Additionally, sectors with high dependency on file sharing and encrypted SMB traffic, such as finance, manufacturing, and government, may experience operational interruptions. The lack of known exploits reduces immediate threat but patching is critical to prevent future exploitation and maintain service continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix CVE-2024-53185 as soon as they become available from trusted sources or distribution vendors. 2. Temporarily avoid mounting SMB shares using SMB3.02 with encryption enabled; consider downgrading to SMB3.0 or disabling encryption if operationally feasible until patched. 3. Monitor kernel logs and system stability for signs of crashes related to CIFS mounts and investigate promptly. 4. Restrict local user privileges to prevent unauthorized mounting of SMB shares, limiting exposure to the vulnerability. 5. Employ kernel hardening and memory safety tools such as KASAN in testing environments to detect similar issues proactively. 6. For critical systems, consider isolating Linux clients that require SMB mounts or using alternative secure file sharing protocols until patched. 7. Maintain up-to-date backups and recovery procedures to mitigate impact from potential denial of service incidents. 8. Coordinate with Linux distribution maintainers and infrastructure teams to ensure timely deployment of fixes and configuration updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.012Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdee87
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 7/2/2025, 10:57:00 PM
Last updated: 8/11/2025, 8:48:17 AM
Views: 21
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.