CVE-2025-68226: The SMB Zombie That Refused to Die
Vulnerability ID: CVE-2025-68226
CVSS Score: 5.5
Published: 2025-12-16
A Use-After-Free vulnerability in the Linux Kernel's SMB client implementation caused by an incomplete backport of a previous security fix. The issue resides in the directory caching mechanism where a raw reference count decrement was used instead of a safe wrapper function.
TL;DR
Developers tried to fix a bug but missed a spot. In the Linux kernel's SMB client, a background worker thread responsible for invalidating cached directory handles was using a raw kref_put instead of the proper close_cached_dir wrapper. This oversight left a window for a Use-After-Free (UAF) condition, allowing local attackers to crash the system or potentially corrupt kernel memory.
Technical Details
- CWE ID: CWE-416
- Attack Vector: Local
- CVSS Score: 5.5 (Medium)
- Impact: Denial of Service (DoS)
- Exploit Status: None (No Public PoC)
- Component: fs/smb/client (cifs.ko)
Affected Systems
- Linux Kernel (SMB Client Subsystem)
- Ubuntu 24.04 LTS (Noble Numbat)
- Ubuntu 22.04 LTS (Jammy Jellyfish)
- Ubuntu 20.04 LTS (Focal Fossa)
- Red Hat Enterprise Linux
-
Linux Kernel: Affected versions vary by distro backport status (Fixed in:
Commit abd29b6e17a918fdd68352ce4813e167acc8727e)
Code Analysis
Commit: abd29b6
smb: client: fix UAF in async decryption
- kref_put(&cfid->refcount, release_cfid);
+ close_cached_dir(cfid);
Mitigation Strategies
- Apply vendor kernel patches immediately.
- Restrict access to SMB mounting capabilities to trusted users.
- Monitor system logs for 'General Protection Fault' or kernel oopses related to 'cifs.ko'.
Remediation Steps:
- Update the Linux kernel to a version containing commit
abd29b6e17a918fdd68352ce4813e167acc8727e. - Reboot the system to load the new kernel image.
- Verify the kernel version using
uname -r.
References
This report was automatically generated. Read the full report on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)