CVE-2025-37750: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in decryption with multichannel After commit f7025d861694 ("smb: client: allocate crypto only for primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in async decryption"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption. This fixes the following KASAN splat when running fstest generic/249 with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows Server 2022: BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110 Read of size 8 at addr ffff8881046c18a0 by task cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 print_report+0x156/0x528 ? gf128mul_4k_lle+0xba/0x110 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? gf128mul_4k_lle+0xba/0x110 kasan_report+0xdf/0x1a0 ? gf128mul_4k_lle+0xba/0x110 gf128mul_4k_lle+0xba/0x110 ghash_update+0x189/0x210 shash_ahash_update+0x295/0x370 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_extract_iter_to_sg+0x10/0x10 ? ___kmalloc_large_node+0x10e/0x180 ? __asan_memset+0x23/0x50 crypto_ahash_update+0x3c/0xc0 gcm_hash_assoc_remain_continue+0x93/0xc0 crypt_message+0xe09/0xec0 [cifs] ? __pfx_crypt_message+0x10/0x10 [cifs] ? _raw_spin_unlock+0x23/0x40 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs] decrypt_raw_data+0x229/0x380 [cifs] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs] smb3_receive_transform+0x837/0xc80 [cifs] ? __pfx_smb3_receive_transform+0x10/0x10 [cifs] ? __pfx___might_resched+0x10/0x10 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs] cifs_demultiplex_thread+0x692/0x1570 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? rcu_lockdep_current_cpu_online+0x62/0xb0 ? find_held_lock+0x32/0x90 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xd/0xd0 ? trace_irq_enable.constprop.0+0xa8/0xe0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x60 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2025-37750 is a use-after-free (UAF) vulnerability in the Linux kernel's SMB (Server Message Block) client implementation, specifically related to the handling of multichannel decryption. The vulnerability arises after two commits intended to optimize cryptographic resource allocation and fix asynchronous decryption UAF issues. These changes led to multiple CIFS daemon (cifsd) threads, each representing a channel in SMB multichannel communication, reusing the AEAD (Authenticated Encryption with Associated Data) transform object from the primary channel for synchronous decryption. This reuse is unsafe because concurrent access by multiple threads can lead to a use-after-free condition. The vulnerability manifests as a kernel memory corruption detected by Kernel Address Sanitizer (KASAN), causing slab-use-after-free errors during cryptographic operations (specifically in the gf128mul_4k_lle function used for Galois/Counter Mode (GCM) hashing). The issue was reproducible when running filesystem tests with SMB version 3.1.1 multichannel enabled against Windows Server 2022. Exploitation could lead to kernel crashes or potentially arbitrary code execution in kernel space due to memory corruption. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it is present in recent kernel releases prior to the fix. No CVSS score has been assigned yet, and no known exploits are reported in the wild at the time of publication (May 2025).
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux servers for file sharing and network storage using SMB protocol with multichannel support enabled. The use-after-free flaw can lead to kernel panics, causing denial of service (DoS) conditions, disrupting critical services and business operations. More critically, if exploited, it could allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality, integrity, and availability. This could lead to unauthorized access to sensitive data, lateral movement within networks, and persistent footholds. Given the widespread use of Linux in enterprise environments, cloud infrastructure, and critical systems across Europe, the vulnerability could impact sectors such as finance, healthcare, government, and telecommunications. The complexity of the vulnerability and requirement for multichannel SMB configuration may limit exploitation to targeted attacks, but the potential severity remains high.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the fix for CVE-2025-37750 as soon as patches become available. Until patches are applied, organizations should consider disabling SMB multichannel support on Linux clients and servers where feasible to reduce exposure. Network segmentation and strict access controls should be enforced to limit SMB traffic to trusted hosts only. Monitoring kernel logs for KASAN alerts or unusual SMB client behavior can help detect attempted exploitation. Additionally, organizations should audit their SMB configurations to ensure minimal exposure and apply principle of least privilege to SMB shares. For environments using Windows Server 2022 as SMB servers, ensure they are also fully patched to avoid triggering the vulnerability during SMB interactions. Finally, maintain up-to-date intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions capable of identifying anomalous kernel-level activities related to SMB operations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2025-37750: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in decryption with multichannel After commit f7025d861694 ("smb: client: allocate crypto only for primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in async decryption"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, but that can't done as there could be multiple cifsd threads (one per channel) simultaneously accessing it to perform decryption. This fixes the following KASAN splat when running fstest generic/249 with 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows Server 2022: BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110 Read of size 8 at addr ffff8881046c18a0 by task cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 print_report+0x156/0x528 ? gf128mul_4k_lle+0xba/0x110 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? gf128mul_4k_lle+0xba/0x110 kasan_report+0xdf/0x1a0 ? gf128mul_4k_lle+0xba/0x110 gf128mul_4k_lle+0xba/0x110 ghash_update+0x189/0x210 shash_ahash_update+0x295/0x370 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_extract_iter_to_sg+0x10/0x10 ? ___kmalloc_large_node+0x10e/0x180 ? __asan_memset+0x23/0x50 crypto_ahash_update+0x3c/0xc0 gcm_hash_assoc_remain_continue+0x93/0xc0 crypt_message+0xe09/0xec0 [cifs] ? __pfx_crypt_message+0x10/0x10 [cifs] ? _raw_spin_unlock+0x23/0x40 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs] decrypt_raw_data+0x229/0x380 [cifs] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs] smb3_receive_transform+0x837/0xc80 [cifs] ? __pfx_smb3_receive_transform+0x10/0x10 [cifs] ? __pfx___might_resched+0x10/0x10 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs] cifs_demultiplex_thread+0x692/0x1570 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? rcu_lockdep_current_cpu_online+0x62/0xb0 ? find_held_lock+0x32/0x90 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xd/0xd0 ? trace_irq_enable.constprop.0+0xa8/0xe0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x60 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-37750 is a use-after-free (UAF) vulnerability in the Linux kernel's SMB (Server Message Block) client implementation, specifically related to the handling of multichannel decryption. The vulnerability arises after two commits intended to optimize cryptographic resource allocation and fix asynchronous decryption UAF issues. These changes led to multiple CIFS daemon (cifsd) threads, each representing a channel in SMB multichannel communication, reusing the AEAD (Authenticated Encryption with Associated Data) transform object from the primary channel for synchronous decryption. This reuse is unsafe because concurrent access by multiple threads can lead to a use-after-free condition. The vulnerability manifests as a kernel memory corruption detected by Kernel Address Sanitizer (KASAN), causing slab-use-after-free errors during cryptographic operations (specifically in the gf128mul_4k_lle function used for Galois/Counter Mode (GCM) hashing). The issue was reproducible when running filesystem tests with SMB version 3.1.1 multichannel enabled against Windows Server 2022. Exploitation could lead to kernel crashes or potentially arbitrary code execution in kernel space due to memory corruption. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, indicating it is present in recent kernel releases prior to the fix. No CVSS score has been assigned yet, and no known exploits are reported in the wild at the time of publication (May 2025).
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on Linux servers for file sharing and network storage using SMB protocol with multichannel support enabled. The use-after-free flaw can lead to kernel panics, causing denial of service (DoS) conditions, disrupting critical services and business operations. More critically, if exploited, it could allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality, integrity, and availability. This could lead to unauthorized access to sensitive data, lateral movement within networks, and persistent footholds. Given the widespread use of Linux in enterprise environments, cloud infrastructure, and critical systems across Europe, the vulnerability could impact sectors such as finance, healthcare, government, and telecommunications. The complexity of the vulnerability and requirement for multichannel SMB configuration may limit exploitation to targeted attacks, but the potential severity remains high.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions that include the fix for CVE-2025-37750 as soon as patches become available. Until patches are applied, organizations should consider disabling SMB multichannel support on Linux clients and servers where feasible to reduce exposure. Network segmentation and strict access controls should be enforced to limit SMB traffic to trusted hosts only. Monitoring kernel logs for KASAN alerts or unusual SMB client behavior can help detect attempted exploitation. Additionally, organizations should audit their SMB configurations to ensure minimal exposure and apply principle of least privilege to SMB shares. For environments using Windows Server 2022 as SMB servers, ensure they are also fully patched to avoid triggering the vulnerability during SMB interactions. Finally, maintain up-to-date intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions capable of identifying anomalous kernel-level activities related to SMB operations.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.937Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd47c
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 10:40:08 PM
Last updated: 11/22/2025, 7:26:42 PM
Views: 42
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-2655: SQL Injection in SourceCodester AC Repair and Services System
MediumCVE-2023-30806: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Sangfor Net-Gen Application Firewall
CriticalCVE-2024-0401: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ASUS ExpertWiFi
HighCVE-2024-23690: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Netgear FVS336Gv3
HighCVE-2024-13976: CWE-427 Uncontrolled Search Path Element in Commvault Commvault for Windows
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.