-
CVE-2025-38488
- EPSS 0.02%
- Veröffentlicht 28.07.2025 11:21:52
- Zuletzt bearbeitet 28.08.2025 15:15:50
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- Teams Watchlist Login
- Unerledigt Login
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediately rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); // Free creq while async operation is still in progress kvfree_sensitive(creq, ...); Hardware crypto modules often implement async AEAD operations for performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, the operation completes asynchronously. Without crypto_wait_req(), the function immediately frees the request buffer, leading to crashes when the driver later accesses the freed memory. This results in a use-after-free condition when the hardware crypto driver later accesses the freed request structure, leading to kernel crashes with NULL pointer dereferences. The issue occurs because crypto_alloc_aead() with mask=0 doesn't guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in the mask, async implementations can be selected. Fix by restoring the async crypto handling: - DECLARE_CRYPTO_WAIT(wait) for completion tracking - aead_request_set_callback() for async completion notification - crypto_wait_req() to wait for operation completion This ensures the request buffer isn't freed until the crypto operation completes, whether synchronous or asynchronous, while preserving the CVE-2024-50047 fix.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version <
5d047b12f86cc3b9fde1171c02d9bccf4dba0632
Version
8f14a476abba13144df5434871a7225fd29af633
Status
affected
Version <
6550b2bef095d0dd2d2c8390d2ea4c3837028833
Version
ef51c0d544b1518b35364480317ab6d3468f205d
Status
affected
Version <
9a1d3e8d40f151c2d5a5f40c410e6e433f62f438
Version
bce966530fd5542bbb422cb45ecb775f7a1a6bc3
Status
affected
Version <
15a0a5de49507062bc3be4014a403d8cea5533de
Version
0809fb86ad13b29e1d6d491364fc7ea4fb545995
Status
affected
Version <
2a76bc2b24ed889a689fb1c9015307bf16aafb5b
Version
b0abcd65ec545701b8793e12bc27dc98042b151a
Status
affected
Version <
8ac90f6824fc44d2e55a82503ddfc95defb19ae0
Version
b0abcd65ec545701b8793e12bc27dc98042b151a
Status
affected
Version <
b220bed63330c0e1733dc06ea8e75d5b9962b6b6
Version
b0abcd65ec545701b8793e12bc27dc98042b151a
Status
affected
Version
538c26d9bf70c90edc460d18c81008a4e555925a
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
6.12
Status
affected
Version <
6.12
Version
0
Status
unaffected
Version <=
5.10.*
Version
5.10.241
Status
unaffected
Version <=
5.15.*
Version
5.15.190
Status
unaffected
Version <=
6.1.*
Version
6.1.147
Status
unaffected
Version <=
6.6.*
Version
6.6.100
Status
unaffected
Version <=
6.12.*
Version
6.12.40
Status
unaffected
Version <=
6.15.*
Version
6.15.8
Status
unaffected
Version <=
*
Version
6.16
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.041 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|