{"id":"CVE-2025-38527","summary":"smb: client: fix use-after-free in cifs_oplock_break","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n  cifs_oplock_break()\n    _cifsFileInfo_put(cfile)\n      cifsFileInfo_put_final()\n        cifs_sb_deactive()\n          [last ref, start releasing sb]\n            kill_sb()\n              kill_anon_super()\n                generic_shutdown_super()\n                  evict_inodes()\n                    dispose_list()\n                      evict()\n                        destroy_inode()\n                          call_rcu(&inode-\u003ei_rcu, i_callback)\n    spin_lock(&cinode-\u003eopen_file_lock)  \u003c- OK\n                            [later] i_callback()\n                              cifs_free_inode()\n                                kmem_cache_free(cinode)\n    spin_unlock(&cinode-\u003eopen_file_lock)  \u003c- UAF\n    cifs_done_oplock_break(cinode)       \u003c- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes.","modified":"2026-03-20T12:42:54.215646Z","published":"2025-08-16T11:12:20.843Z","related":["ALSA-2025:16880","ALSA-2025:16904","ALSA-2025:17397","ALSA-2025:17398","SUSE-SU-2025:03600-1","SUSE-SU-2025:03601-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3725-1","SUSE-SU-2025:3751-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38527.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308"},{"type":"WEB","url":"https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38527.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38527"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b98749cac4a695f084a5ff076f4510b23e353ecd"},{"fixed":"4256a483fe58af66a46cbf3dc48ff26e580d3308"},{"fixed":"0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b"},{"fixed":"2baaf5bbab2ac474c4f92c10fcb3310f824db995"},{"fixed":"09bce2138a30ef10d8821c8c3f73a4ab7a5726bc"},{"fixed":"da11bd4b697b393a207f19a2ed7d382a811a3ddc"},{"fixed":"705c79101ccf9edea5a00d761491a03ced314210"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"2429fcf06d3cb962693868ab0a927c9038f12a2d"},{"last_affected":"1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12"},{"last_affected":"53fc31a4853e30d6e8f142b824f724da27ff3e40"},{"last_affected":"8092ecc306d81186a64cda42411121f4d35aaff4"},{"last_affected":"ebac4d0adf68f8962bd82fcf483936edd6ec095b"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38527.json"}}],"schema_version":"1.7.5"}