CVE-2025-21673: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK>
AI Analysis
Technical Summary
CVE-2025-21673 is a vulnerability identified in the Linux kernel's CIFS (Common Internet File System) client implementation, specifically related to the handling of TCP_Server_Info::hostname during server shutdown sequences. The flaw arises in the cifs_put_tcp_session() function, where the CIFS daemon (cifsd) thread may attempt to reconnect to multiple DFS (Distributed File System) targets before it properly exits a loop. This improper handling leads to a double free condition of the server hostname memory object. The double free occurs because the hostname pointer is freed prematurely while the cifsd thread is still active and potentially referencing it. This results in a use-after-free scenario that can cause kernel crashes (denial of service) or potentially enable arbitrary code execution in kernel context if exploited. The provided kernel stack trace shows the crash occurring in the slab allocator's free function (__slab_free), triggered by the double free. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes. No CVSS score is currently assigned, and there are no known exploits in the wild as of the publication date (January 31, 2025). The issue is rooted in the CIFS client's DFS reconnection logic and memory management, which is critical for network file sharing services on Linux systems.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to environments that utilize Linux servers for SMB/CIFS file sharing, especially those relying on DFS namespaces. Exploitation could lead to kernel crashes causing denial of service, disrupting critical file sharing and collaboration services. In worst-case scenarios, if an attacker can craft conditions to exploit the double free for arbitrary code execution, it could lead to full system compromise, allowing attackers to escalate privileges and move laterally within networks. This is particularly concerning for enterprises, government agencies, and critical infrastructure operators in Europe that depend on Linux-based file servers for daily operations. The disruption or compromise of such services can impact data confidentiality, integrity, and availability, potentially leading to data breaches, operational downtime, and regulatory non-compliance under GDPR and other data protection laws.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2025-21673 as soon as they become available from trusted sources or Linux distributions. 2) Temporarily disable or limit the use of CIFS/SMB DFS features on Linux clients and servers if patching is delayed, especially in high-risk environments. 3) Monitor kernel logs and system stability for signs of crashes related to CIFS operations to detect potential exploitation attempts. 4) Implement network segmentation and strict access controls to limit exposure of CIFS services to untrusted networks or users. 5) Employ runtime security tools capable of detecting anomalous kernel behavior or memory corruption indicative of exploitation attempts. 6) Conduct thorough testing of patches in staging environments to ensure stability before deployment in production. These steps go beyond generic advice by focusing on immediate operational controls and proactive detection tailored to the CIFS/DFS context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2025-21673: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-21673 is a vulnerability identified in the Linux kernel's CIFS (Common Internet File System) client implementation, specifically related to the handling of TCP_Server_Info::hostname during server shutdown sequences. The flaw arises in the cifs_put_tcp_session() function, where the CIFS daemon (cifsd) thread may attempt to reconnect to multiple DFS (Distributed File System) targets before it properly exits a loop. This improper handling leads to a double free condition of the server hostname memory object. The double free occurs because the hostname pointer is freed prematurely while the cifsd thread is still active and potentially referencing it. This results in a use-after-free scenario that can cause kernel crashes (denial of service) or potentially enable arbitrary code execution in kernel context if exploited. The provided kernel stack trace shows the crash occurring in the slab allocator's free function (__slab_free), triggered by the double free. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes. No CVSS score is currently assigned, and there are no known exploits in the wild as of the publication date (January 31, 2025). The issue is rooted in the CIFS client's DFS reconnection logic and memory management, which is critical for network file sharing services on Linux systems.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to environments that utilize Linux servers for SMB/CIFS file sharing, especially those relying on DFS namespaces. Exploitation could lead to kernel crashes causing denial of service, disrupting critical file sharing and collaboration services. In worst-case scenarios, if an attacker can craft conditions to exploit the double free for arbitrary code execution, it could lead to full system compromise, allowing attackers to escalate privileges and move laterally within networks. This is particularly concerning for enterprises, government agencies, and critical infrastructure operators in Europe that depend on Linux-based file servers for daily operations. The disruption or compromise of such services can impact data confidentiality, integrity, and availability, potentially leading to data breaches, operational downtime, and regulatory non-compliance under GDPR and other data protection laws.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2025-21673 as soon as they become available from trusted sources or Linux distributions. 2) Temporarily disable or limit the use of CIFS/SMB DFS features on Linux clients and servers if patching is delayed, especially in high-risk environments. 3) Monitor kernel logs and system stability for signs of crashes related to CIFS operations to detect potential exploitation attempts. 4) Implement network segmentation and strict access controls to limit exposure of CIFS services to untrusted networks or users. 5) Employ runtime security tools capable of detecting anomalous kernel behavior or memory corruption indicative of exploitation attempts. 6) Conduct thorough testing of patches in staging environments to ensure stability before deployment in production. These steps go beyond generic advice by focusing on immediate operational controls and proactive detection tailored to the CIFS/DFS context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.736Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd2ce
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 11:12:21 PM
Last updated: 8/18/2025, 11:33:01 PM
Views: 17
Related Threats
CVE-2025-55455: n/a
HighCVE-2025-8193
UnknownCVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.