{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-37750", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.937Z", "datePublished": "2025-05-01T12:55:55.988Z", "dateUpdated": "2025-05-26T05:20:05.418Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:20:05.418Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in decryption with multichannel\n\nAfter commit f7025d861694 (\"smb: client: allocate crypto only for\nprimary server\") and commit b0abcd65ec54 (\"smb: client: fix UAF in\nasync decryption\"), the channels started reusing AEAD TFM from primary\nchannel to perform synchronous decryption, but that can't done as\nthere could be multiple cifsd threads (one per channel) simultaneously\naccessing it to perform decryption.\n\nThis fixes the following KASAN splat when running fstest generic/249\nwith 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows\nServer 2022:\n\nBUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110\nRead of size 8 at addr ffff8881046c18a0 by task cifsd/986\nCPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1\nPREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n print_report+0x156/0x528\n ? gf128mul_4k_lle+0xba/0x110\n ? __virt_addr_valid+0x145/0x300\n ? __phys_addr+0x46/0x90\n ? gf128mul_4k_lle+0xba/0x110\n kasan_report+0xdf/0x1a0\n ? gf128mul_4k_lle+0xba/0x110\n gf128mul_4k_lle+0xba/0x110\n ghash_update+0x189/0x210\n shash_ahash_update+0x295/0x370\n ? __pfx_shash_ahash_update+0x10/0x10\n ? __pfx_shash_ahash_update+0x10/0x10\n ? __pfx_extract_iter_to_sg+0x10/0x10\n ? ___kmalloc_large_node+0x10e/0x180\n ? __asan_memset+0x23/0x50\n crypto_ahash_update+0x3c/0xc0\n gcm_hash_assoc_remain_continue+0x93/0xc0\n crypt_message+0xe09/0xec0 [cifs]\n ? __pfx_crypt_message+0x10/0x10 [cifs]\n ? _raw_spin_unlock+0x23/0x40\n ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]\n decrypt_raw_data+0x229/0x380 [cifs]\n ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs]\n smb3_receive_transform+0x837/0xc80 [cifs]\n ? __pfx_smb3_receive_transform+0x10/0x10 [cifs]\n ? __pfx___might_resched+0x10/0x10\n ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs]\n cifs_demultiplex_thread+0x692/0x1570 [cifs]\n ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n ? rcu_is_watching+0x20/0x50\n ? rcu_lockdep_current_cpu_online+0x62/0xb0\n ? find_held_lock+0x32/0x90\n ? kvm_sched_clock_read+0x11/0x20\n ? local_clock_noinstr+0xd/0xd0\n ? trace_irq_enable.constprop.0+0xa8/0xe0\n ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n kthread+0x1fe/0x380\n ? kthread+0x10f/0x380\n ? __pfx_kthread+0x10/0x10\n ? local_clock_noinstr+0xd/0xd0\n ? ret_from_fork+0x1b/0x60\n ? local_clock+0x15/0x30\n ? lock_release+0x29b/0x390\n ? rcu_is_watching+0x20/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/cifsencrypt.c", "fs/smb/client/smb2ops.c", "fs/smb/client/smb2pdu.c"], "versions": [{"version": "b0abcd65ec545701b8793e12bc27dc98042b151a", "lessThan": "aa5a1e4b882964eb79d5b5d1d1e8a1a5efbb1d15", "status": "affected", "versionType": "git"}, {"version": "b0abcd65ec545701b8793e12bc27dc98042b151a", "lessThan": "e859b216d94668bc66330e61be201234f4413d1a", "status": "affected", "versionType": "git"}, {"version": "b0abcd65ec545701b8793e12bc27dc98042b151a", "lessThan": "950557922c1298464749c216d8763e97faf5d0a6", "status": "affected", "versionType": "git"}, {"version": "b0abcd65ec545701b8793e12bc27dc98042b151a", "lessThan": "9502dd5c7029902f4a425bf959917a5a9e7c0e50", "status": "affected", "versionType": "git"}, {"version": "8f14a476abba13144df5434871a7225fd29af633", "status": "affected", "versionType": "git"}, {"version": "ef51c0d544b1518b35364480317ab6d3468f205d", "status": "affected", "versionType": "git"}, {"version": "bce966530fd5542bbb422cb45ecb775f7a1a6bc3", "status": "affected", "versionType": "git"}, {"version": "0809fb86ad13b29e1d6d491364fc7ea4fb545995", "status": "affected", "versionType": "git"}, {"version": "538c26d9bf70c90edc460d18c81008a4e555925a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/client/cifsencrypt.c", "fs/smb/client/smb2ops.c", "fs/smb/client/smb2pdu.c"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.24", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.12", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.3", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.13.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.14.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.181"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.57"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/aa5a1e4b882964eb79d5b5d1d1e8a1a5efbb1d15"}, {"url": "https://git.kernel.org/stable/c/e859b216d94668bc66330e61be201234f4413d1a"}, {"url": "https://git.kernel.org/stable/c/950557922c1298464749c216d8763e97faf5d0a6"}, {"url": "https://git.kernel.org/stable/c/9502dd5c7029902f4a425bf959917a5a9e7c0e50"}], "title": "smb: client: fix UAF in decryption with multichannel", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B227CA05-3F78-4828-9681-ACB2FDB45E80", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.237", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8FEAE24-CB34-4B84-9E28-2D74CDEDB690", "versionEndExcluding": "5.16", "versionStartIncluding": "5.15.181", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F343A00-220D-4231-86BC-24A8BAFDF4F1", "versionEndExcluding": "6.2", "versionStartIncluding": "6.1.128", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "81490A89-31D0-45CD-97F5-3691F7CB4246", "versionEndExcluding": "6.7", "versionStartIncluding": "6.6.57", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C147243D-8754-48F1-9C3A-E475DBEA03DA", "versionEndExcluding": "6.12.24", "versionStartIncluding": "6.11.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A475784-BF3B-4514-81EE-49C8522FB24A", "versionEndExcluding": "6.13.12", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "483E2E15-2135-4EC6-AB64-16282C5EF704", "versionEndExcluding": "6.14.3", "versionStartIncluding": "6.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in decryption with multichannel\n\nAfter commit f7025d861694 (\"smb: client: allocate crypto only for\nprimary server\") and commit b0abcd65ec54 (\"smb: client: fix UAF in\nasync decryption\"), the channels started reusing AEAD TFM from primary\nchannel to perform synchronous decryption, but that can't done as\nthere could be multiple cifsd threads (one per channel) simultaneously\naccessing it to perform decryption.\n\nThis fixes the following KASAN splat when running fstest generic/249\nwith 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows\nServer 2022:\n\nBUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110\nRead of size 8 at addr ffff8881046c18a0 by task cifsd/986\nCPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1\nPREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n print_report+0x156/0x528\n ? gf128mul_4k_lle+0xba/0x110\n ? __virt_addr_valid+0x145/0x300\n ? __phys_addr+0x46/0x90\n ? gf128mul_4k_lle+0xba/0x110\n kasan_report+0xdf/0x1a0\n ? gf128mul_4k_lle+0xba/0x110\n gf128mul_4k_lle+0xba/0x110\n ghash_update+0x189/0x210\n shash_ahash_update+0x295/0x370\n ? __pfx_shash_ahash_update+0x10/0x10\n ? __pfx_shash_ahash_update+0x10/0x10\n ? __pfx_extract_iter_to_sg+0x10/0x10\n ? ___kmalloc_large_node+0x10e/0x180\n ? __asan_memset+0x23/0x50\n crypto_ahash_update+0x3c/0xc0\n gcm_hash_assoc_remain_continue+0x93/0xc0\n crypt_message+0xe09/0xec0 [cifs]\n ? __pfx_crypt_message+0x10/0x10 [cifs]\n ? _raw_spin_unlock+0x23/0x40\n ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]\n decrypt_raw_data+0x229/0x380 [cifs]\n ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs]\n smb3_receive_transform+0x837/0xc80 [cifs]\n ? __pfx_smb3_receive_transform+0x10/0x10 [cifs]\n ? __pfx___might_resched+0x10/0x10\n ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs]\n cifs_demultiplex_thread+0x692/0x1570 [cifs]\n ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n ? rcu_is_watching+0x20/0x50\n ? rcu_lockdep_current_cpu_online+0x62/0xb0\n ? find_held_lock+0x32/0x90\n ? kvm_sched_clock_read+0x11/0x20\n ? local_clock_noinstr+0xd/0xd0\n ? trace_irq_enable.constprop.0+0xa8/0xe0\n ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n kthread+0x1fe/0x380\n ? kthread+0x10f/0x380\n ? __pfx_kthread+0x10/0x10\n ? local_clock_noinstr+0xd/0xd0\n ? ret_from_fork+0x1b/0x60\n ? local_clock+0x15/0x30\n ? lock_release+0x29b/0x390\n ? rcu_is_watching+0x20/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corregir UAF en descifrado con multicanal Despu\u00e9s de la confirmaci\u00f3n f7025d861694 (\"smb: cliente: asignar criptograf\u00eda solo para el servidor principal\") y la confirmaci\u00f3n b0abcd65ec54 (\"smb: cliente: corregir UAF en descifrado as\u00edncrono\"), los canales comenzaron a reutilizar AEAD TFM del canal principal para realizar un descifrado sincr\u00f3nico, pero eso no se puede hacer ya que podr\u00eda haber varios subprocesos cifsd (uno por canal) accediendo simult\u00e1neamente a \u00e9l para realizar el descifrado. Esto corrige el siguiente splat de KASAN al ejecutar fstest generic/249 con 'vers=3.1.1,multichannel,max_channels=4,seal' en Windows Server 2022: ERROR: KASAN: slab-use-after-free en gf128mul_4k_lle+0xba/0x110 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff8881046c18a0 por la tarea cifsd/986 CPU: 3 UID: 0 PID: 986 Comm: cifsd No contaminado 6.15.0-rc1 #1 PREEMPT(voluntario) Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x5d/0x80 print_report+0x156/0x528 ? gf128mul_4k_lle+0xba/0x110 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? gf128mul_4k_lle+0xba/0x110 kasan_report+0xdf/0x1a0 ? gf128mul_4k_lle+0xba/0x110 gf128mul_4k_lle+0xba/0x110 ghash_update+0x189/0x210 shash_ahash_update+0x295/0x370 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_shash_ahash_update+0x10/0x10 ? __pfx_extract_iter_to_sg+0x10/0x10 ? ___kmalloc_large_node+0x10e/0x180 ? __asan_memset+0x23/0x50 crypto_ahash_update+0x3c/0xc0 gcm_hash_assoc_remain_continue+0x93/0xc0 crypt_message+0xe09/0xec0 [cifs] ? __pfx_crypt_message+0x10/0x10 [cifs] ? _raw_spin_unlock+0x23/0x40 ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs] decrypt_raw_data+0x229/0x380 [cifs] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] ? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs] smb3_receive_transform+0x837/0xc80 [cifs] ? __pfx_smb3_receive_transform+0x10/0x10 [cifs] ? __pfx___might_resched+0x10/0x10 ? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs] cifs_demultiplex_thread+0x692/0x1570 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] ? rcu_is_watching+0x20/0x50 ? rcu_lockdep_current_cpu_online+0x62/0xb0 ? find_held_lock+0x32/0x90 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xd/0xd0 ? trace_irq_enable.constprop.0+0xa8/0xe0 ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x60 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 "}], "id": "CVE-2025-37750", "lastModified": "2025-11-06T21:31:49.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-05-01T13:15:53.740", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9502dd5c7029902f4a425bf959917a5a9e7c0e50"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/950557922c1298464749c216d8763e97faf5d0a6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa5a1e4b882964eb79d5b5d1d1e8a1a5efbb1d15"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e859b216d94668bc66330e61be201234f4413d1a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "[email protected]", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:9079", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "kernel-0:6.12.0-55.17.1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-06-16T00:00:00Z"}, {"advisory": "RHSA-2025:9080", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.22.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-16T00:00:00Z"}, {"advisory": "RHSA-2025:9080", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-570.22.1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-16T00:00:00Z"}, {"advisory": "RHSA-2025:9393", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kpatch-patch", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-23T00:00:00Z"}], "bugzilla": {"description": "kernel: smb: client: fix UAF in decryption with multichannel", "id": "2363341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363341"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsmb: client: fix UAF in decryption with multichannel\nAfter commit f7025d861694 (\"smb: client: allocate crypto only for\nprimary server\") and commit b0abcd65ec54 (\"smb: client: fix UAF in\nasync decryption\"), the channels started reusing AEAD TFM from primary\nchannel to perform synchronous decryption, but that can't done as\nthere could be multiple cifsd threads (one per channel) simultaneously\naccessing it to perform decryption.\nThis fixes the following KASAN splat when running fstest generic/249\nwith 'vers=3.1.1,multichannel,max_channels=4,seal' against Windows\nServer 2022:\nBUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xba/0x110\nRead of size 8 at addr ffff8881046c18a0 by task cifsd/986\nCPU: 3 UID: 0 PID: 986 Comm: cifsd Not tainted 6.15.0-rc1 #1\nPREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41\n04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x5d/0x80\nprint_report+0x156/0x528\n? gf128mul_4k_lle+0xba/0x110\n? __virt_addr_valid+0x145/0x300\n? __phys_addr+0x46/0x90\n? gf128mul_4k_lle+0xba/0x110\nkasan_report+0xdf/0x1a0\n? gf128mul_4k_lle+0xba/0x110\ngf128mul_4k_lle+0xba/0x110\nghash_update+0x189/0x210\nshash_ahash_update+0x295/0x370\n? __pfx_shash_ahash_update+0x10/0x10\n? __pfx_shash_ahash_update+0x10/0x10\n? __pfx_extract_iter_to_sg+0x10/0x10\n? ___kmalloc_large_node+0x10e/0x180\n? __asan_memset+0x23/0x50\ncrypto_ahash_update+0x3c/0xc0\ngcm_hash_assoc_remain_continue+0x93/0xc0\ncrypt_message+0xe09/0xec0 [cifs]\n? __pfx_crypt_message+0x10/0x10 [cifs]\n? _raw_spin_unlock+0x23/0x40\n? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]\ndecrypt_raw_data+0x229/0x380 [cifs]\n? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n? __pfx_cifs_read_iter_from_socket+0x10/0x10 [cifs]\nsmb3_receive_transform+0x837/0xc80 [cifs]\n? __pfx_smb3_receive_transform+0x10/0x10 [cifs]\n? __pfx___might_resched+0x10/0x10\n? __pfx_smb3_is_transform_hdr+0x10/0x10 [cifs]\ncifs_demultiplex_thread+0x692/0x1570 [cifs]\n? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n? rcu_is_watching+0x20/0x50\n? rcu_lockdep_current_cpu_online+0x62/0xb0\n? find_held_lock+0x32/0x90\n? kvm_sched_clock_read+0x11/0x20\n? local_clock_noinstr+0xd/0xd0\n? trace_irq_enable.constprop.0+0xa8/0xe0\n? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\nkthread+0x1fe/0x380\n? kthread+0x10f/0x380\n? __pfx_kthread+0x10/0x10\n? local_clock_noinstr+0xd/0xd0\n? ret_from_fork+0x1b/0x60\n? local_clock+0x15/0x30\n? lock_release+0x29b/0x390\n? rcu_is_watching+0x20/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x31/0x60\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n</TASK>"], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2025-37750", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-37750\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37750\nhttps://lore.kernel.org/linux-cve-announce/2025050136-CVE-2025-37750-fdd8@gregkh/T"], "statement": "This vulnerability exists in how the SMB client manages cryptography for multi-channel connections. When using multi-channel connections, there is a possibility that a race condition will occur in separate threads. In that case, it is possible for one thread to free memory related to cryptography before another thread accesses it. An attacker could leverage that vulnerability to modify kernel memory, which could result in an escalation of privileges as well as potentially impacting system stability and integrity.\nThe changes in multichannel SMB client cryptography management that led to this vulnerability are not present in Red Hat Enterprise Linux 8 or prior.", "threat_severity": "Important"}