-

CVE-2025-68263

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: ipc: fix use-after-free in ipc_msg_send_request

ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.

Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():

  BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
  Write of size 12 at addr ffff888198ee6e20 by task pool/109349
  ...
  Freed by task:
    kvfree
    ipc_msg_send_request [ksmbd]
    ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]

Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
  entry->response, freeing it when invalid, and removing the entry from
  ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
  the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
  semantics.

This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < de85fb58f9967ba024bb08e0041613d37b57b4d1
Version 0626e6641f6b467447c81dd7678a69c66f7746cf
Status affected
Version < 708a620b471a14466f1f52c90bf3f65ebdb31460
Version 0626e6641f6b467447c81dd7678a69c66f7746cf
Status affected
Version < 5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e
Version 0626e6641f6b467447c81dd7678a69c66f7746cf
Status affected
Version < 759c8c30cfa8706c518e56f67971b1f0932f4b9b
Version 0626e6641f6b467447c81dd7678a69c66f7746cf
Status affected
Version < 8229c6ca50cea701e25a7ee25f48441b582ec5fa
Version 0626e6641f6b467447c81dd7678a69c66f7746cf
Status affected
Version < 1fab1fa091f5aa97265648b53ea031deedd26235
Version 0626e6641f6b467447c81dd7678a69c66f7746cf
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 5.15
Status affected
Version < 5.15
Version 0
Status unaffected
Version <= 6.1.*
Version 6.1.160
Status unaffected
Version <= 6.6.*
Version 6.6.120
Status unaffected
Version <= 6.12.*
Version 6.12.62
Status unaffected
Version <= 6.17.*
Version 6.17.12
Status unaffected
Version <= 6.18.*
Version 6.18.1
Status unaffected
Version <= *
Version 6.19-rc1
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.098
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.