CVE-2025-37750: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in decryption with multichannel After commit f7025d861694 ("smb: client: allocate crypto only for primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in async decryption"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption. This fixes the following KASAN splat when running fstest generic/249 with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows Server 2022: BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110 Read of size 8 at addr ffff8881046c18a0 by task cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 print_report+0x156/0x528 ? gf128mul_4k_lle+0xba/0x110 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? gf128mul_4k_lle+0xba/0x110 kasan_report+0xdf/0x1a0 ? gf128mul_4k_lle+0xba/0x110 gf128mul_4k_lle+0xba/0x110 ghash_update+0x189/0x210 shash_ahash_update+0x295/0x370 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_extract_iter_to_sg+0x10/0x10 ? ___kmalloc_large_node+0x10e/0x180 ? __asan_memset+0x23/0x50 crypto_ahash_update+0x3c/0xc0 gcm_hash_assoc_remain_continue+0x93/0xc0 crypt_message+0xe09/0xec0 [cifs] ? __pfx_crypt_message+0x10/0x10 [cifs] ? _raw_spin_unlock+0x23/0x40 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs] decrypt_raw_data+0x229/0x380 [cifs] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs] smb3_receive_transform+0x837/0xc80 [cifs] ? __pfx_smb3_receive_transform+0x10/0x10 [cifs] ? __pfx___might_resched+0x10/0x10 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs] cifs_demultiplex_thread+0x692/0x1570 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? rcu_lockdep_current_cpu_online+0x62/0xb0 ? find_held_lock+0x32/0x90 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xd/0xd0 ? trace_irq_enable.constprop.0+0xa8/0xe0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x60 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2025-37750 is a use-after-free (UAF) vulnerability in the Linux kernel's SMB (Server Message Block) client implementation, specifically related to the handling of multichannel decryption. The vulnerability arises after two commits intended to optimize cryptographic resource allocation and fix asynchronous decryption UAF issues. These changes led to multiple CIFS daemon (cifsd) threads, each representing a channel in SMB multichannel communication, reusing the AEAD (Authenticated Encryption with Associated Data) transform object from the primary channel for synchronous decryption. This reuse is unsafe because concurrent access by multiple threads can lead to a use-after-free condition. The vulnerability manifests as a kernel memory corruption detected by Kernel Address Sanitizer (KASAN), causing slab-use-after-free errors during cryptographic operations (specifically in the gf128mul_4k_lle function used for Galois/Counter Mode (GCM) hashing). The issue was reproducible when running filesystem tests with SMB version 3.1.1 multichannel enabled against Windows Server 2022. Exploitation could lead to kernel crashes or potentially arbitrary code execution in kernel space due to memory corruption. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it is present in recent kernel releases prior to the fix. No CVSS score has been assigned yet, and no known exploits are reported in the wild at the time of publication (May 2025).
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux servers for file sharing and network storage using SMB protocol with multichannel support enabled. The use-after-free flaw can lead to kernel panics, causing denial of service (DoS) conditions, disrupting critical services and business operations. More critically, if exploited, it could allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality, integrity, and availability. This could lead to unauthorized access to sensitive data, lateral movement within networks, and persistent footholds. Given the widespread use of Linux in enterprise environments, cloud infrastructure, and critical systems across Europe, the vulnerability could impact sectors such as finance, healthcare, government, and telecommunications. The complexity of the vulnerability and requirement for multichannel SMB configuration may limit exploitation to targeted attacks, but the potential severity remains high.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the fix for CVE-2025-37750 as soon as patches become available. Until patches are applied, organizations should consider disabling SMB multichannel support on Linux clients and servers where feasible to reduce exposure. Network segmentation and strict access controls should be enforced to limit SMB traffic to trusted hosts only. Monitoring kernel logs for KASAN alerts or unusual SMB client behavior can help detect attempted exploitation. Additionally, organizations should audit their SMB configurations to ensure minimal exposure and apply principle of least privilege to SMB shares. For environments using Windows Server 2022 as SMB servers, ensure they are also fully patched to avoid triggering the vulnerability during SMB interactions. Finally, maintain up-to-date intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions capable of identifying anomalous kernel-level activities related to SMB operations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2025-37750: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in decryption with multichannel After commit f7025d861694 ("smb: client: allocate crypto only for primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in async decryption"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption. This fixes the following KASAN splat when running fstest generic/249 with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows Server 2022: BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110 Read of size 8 at addr ffff8881046c18a0 by task cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 print_report+0x156/0x528 ? gf128mul_4k_lle+0xba/0x110 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? gf128mul_4k_lle+0xba/0x110 kasan_report+0xdf/0x1a0 ? gf128mul_4k_lle+0xba/0x110 gf128mul_4k_lle+0xba/0x110 ghash_update+0x189/0x210 shash_ahash_update+0x295/0x370 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_extract_iter_to_sg+0x10/0x10 ? ___kmalloc_large_node+0x10e/0x180 ? __asan_memset+0x23/0x50 crypto_ahash_update+0x3c/0xc0 gcm_hash_assoc_remain_continue+0x93/0xc0 crypt_message+0xe09/0xec0 [cifs] ? __pfx_crypt_message+0x10/0x10 [cifs] ? _raw_spin_unlock+0x23/0x40 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs] decrypt_raw_data+0x229/0x380 [cifs] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs] smb3_receive_transform+0x837/0xc80 [cifs] ? __pfx_smb3_receive_transform+0x10/0x10 [cifs] ? __pfx___might_resched+0x10/0x10 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs] cifs_demultiplex_thread+0x692/0x1570 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? rcu_lockdep_current_cpu_online+0x62/0xb0 ? find_held_lock+0x32/0x90 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xd/0xd0 ? trace_irq_enable.constprop.0+0xa8/0xe0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x60 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-37750 is a use-after-free (UAF) vulnerability in the Linux kernel's SMB (Server Message Block) client implementation, specifically related to the handling of multichannel decryption. The vulnerability arises after two commits intended to optimize cryptographic resource allocation and fix asynchronous decryption UAF issues. These changes led to multiple CIFS daemon (cifsd) threads, each representing a channel in SMB multichannel communication, reusing the AEAD (Authenticated Encryption with Associated Data) transform object from the primary channel for synchronous decryption. This reuse is unsafe because concurrent access by multiple threads can lead to a use-after-free condition. The vulnerability manifests as a kernel memory corruption detected by Kernel Address Sanitizer (KASAN), causing slab-use-after-free errors during cryptographic operations (specifically in the gf128mul_4k_lle function used for Galois/Counter Mode (GCM) hashing). The issue was reproducible when running filesystem tests with SMB version 3.1.1 multichannel enabled against Windows Server 2022. Exploitation could lead to kernel crashes or potentially arbitrary code execution in kernel space due to memory corruption. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it is present in recent kernel releases prior to the fix. No CVSS score has been assigned yet, and no known exploits are reported in the wild at the time of publication (May 2025).
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux servers for file sharing and network storage using SMB protocol with multichannel support enabled. The use-after-free flaw can lead to kernel panics, causing denial of service (DoS) conditions, disrupting critical services and business operations. More critically, if exploited, it could allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality, integrity, and availability. This could lead to unauthorized access to sensitive data, lateral movement within networks, and persistent footholds. Given the widespread use of Linux in enterprise environments, cloud infrastructure, and critical systems across Europe, the vulnerability could impact sectors such as finance, healthcare, government, and telecommunications. The complexity of the vulnerability and requirement for multichannel SMB configuration may limit exploitation to targeted attacks, but the potential severity remains high.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the fix for CVE-2025-37750 as soon as patches become available. Until patches are applied, organizations should consider disabling SMB multichannel support on Linux clients and servers where feasible to reduce exposure. Network segmentation and strict access controls should be enforced to limit SMB traffic to trusted hosts only. Monitoring kernel logs for KASAN alerts or unusual SMB client behavior can help detect attempted exploitation. Additionally, organizations should audit their SMB configurations to ensure minimal exposure and apply principle of least privilege to SMB shares. For environments using Windows Server 2022 as SMB servers, ensure they are also fully patched to avoid triggering the vulnerability during SMB interactions. Finally, maintain up-to-date intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions capable of identifying anomalous kernel-level activities related to SMB operations.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.937Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd47c
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 10:40:08 PM
Last updated: 8/14/2025, 8:30:18 AM
Views: 11
Related Threats
CVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.