CVE-2025-21673 (GCVE-0-2025-21673)

Vulnerability from cvelistv5 – Published: 2025-01-31 11:25 – Updated: 2026-05-23 15:56
VLAI
Title
smb: client: fix double free of TCP_Server_Info::hostname
Summary
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK>
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541 , < 1ea68070338518a1d31ce71e6abfe1b30001b27a (git)
Affected: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541 , < a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a (git)
Affected: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541 , < fa2f9906a7b333ba757a7dbae0713d8a5396186e (git)
Affected: 49f933bb3016269dc50074eac5f6033d127644f1 (git)
Affected: 1c35a216ef77db708178ca225d796271f2f60a7a (git)
Affected: 5.14.19 , < 5.15 (semver)
Affected: 5.15.3 , < 5.16 (semver)
Create a notification for this product.
Linux Linux Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.6.74 , ≤ 6.6.* (semver)
Unaffected: 6.12.11 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21673",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:08.291891Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-415",
                "description": "CWE-415 Double Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:12.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/connect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1ea68070338518a1d31ce71e6abfe1b30001b27a",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "lessThan": "a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "lessThan": "fa2f9906a7b333ba757a7dbae0713d8a5396186e",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "49f933bb3016269dc50074eac5f6033d127644f1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1c35a216ef77db708178ca225d796271f2f60a7a",
              "versionType": "git"
            },
            {
              "lessThan": "5.15",
              "status": "affected",
              "version": "5.14.19",
              "versionType": "semver"
            },
            {
              "lessThan": "5.16",
              "status": "affected",
              "version": "5.15.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/connect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double free of TCP_Server_Info::hostname\n\nWhen shutting down the server in cifs_put_tcp_session(), cifsd thread\nmight be reconnecting to multiple DFS targets before it realizes it\nshould exit the loop, so @server-\u003ehostname can\u0027t be freed as long as\ncifsd thread isn\u0027t done.  Otherwise the following can happen:\n\n  RIP: 0010:__slab_free+0x223/0x3c0\n  Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89\n  1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff \u003c0f\u003e\n  0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80\n  RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246\n  RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068\n  RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400\n  RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000\n  R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500\n  R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068\n  FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000)\n  000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4:\n  PKRU: 55555554\n  Call Trace:\n   \u003cTASK\u003e\n   ? show_trace_log_lvl+0x1c4/0x2df\n   ? show_trace_log_lvl+0x1c4/0x2df\n   ? __reconnect_target_unlocked+0x3e/0x160 [cifs]\n   ? __die_body.cold+0x8/0xd\n   ? die+0x2b/0x50\n   ? do_trap+0xce/0x120\n   ? __slab_free+0x223/0x3c0\n   ? do_error_trap+0x65/0x80\n   ? __slab_free+0x223/0x3c0\n   ? exc_invalid_op+0x4e/0x70\n   ? __slab_free+0x223/0x3c0\n   ? asm_exc_invalid_op+0x16/0x20\n   ? __slab_free+0x223/0x3c0\n   ? extract_hostname+0x5c/0xa0 [cifs]\n   ? extract_hostname+0x5c/0xa0 [cifs]\n   ? __kmalloc+0x4b/0x140\n   __reconnect_target_unlocked+0x3e/0x160 [cifs]\n   reconnect_dfs_server+0x145/0x430 [cifs]\n   cifs_handle_standard+0x1ad/0x1d0 [cifs]\n   cifs_demultiplex_thread+0x592/0x730 [cifs]\n   ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n   kthread+0xdd/0x100\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x29/0x50\n   \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:56:51.752Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1ea68070338518a1d31ce71e6abfe1b30001b27a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa2f9906a7b333ba757a7dbae0713d8a5396186e"
        }
      ],
      "title": "smb: client: fix double free of TCP_Server_Info::hostname",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21673",
    "datePublished": "2025-01-31T11:25:35.922Z",
    "dateReserved": "2024-12-29T08:45:45.736Z",
    "dateUpdated": "2026-05-23T15:56:51.752Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21673",
      "date": "2026-06-09",
      "epss": "0.00018",
      "percentile": "0.04742"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21673\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-31T12:15:28.463\",\"lastModified\":\"2025-10-01T20:18:18.777\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix double free of TCP_Server_Info::hostname\\n\\nWhen shutting down the server in cifs_put_tcp_session(), cifsd thread\\nmight be reconnecting to multiple DFS targets before it realizes it\\nshould exit the loop, so @server-\u003ehostname can\u0027t be freed as long as\\ncifsd thread isn\u0027t done.  Otherwise the following can happen:\\n\\n  RIP: 0010:__slab_free+0x223/0x3c0\\n  Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89\\n  1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff \u003c0f\u003e\\n  0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80\\n  RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246\\n  RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068\\n  RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400\\n  RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000\\n  R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500\\n  R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068\\n  FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000)\\n  000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4:\\n  PKRU: 55555554\\n  Call Trace:\\n   \u003cTASK\u003e\\n   ? show_trace_log_lvl+0x1c4/0x2df\\n   ? show_trace_log_lvl+0x1c4/0x2df\\n   ? __reconnect_target_unlocked+0x3e/0x160 [cifs]\\n   ? __die_body.cold+0x8/0xd\\n   ? die+0x2b/0x50\\n   ? do_trap+0xce/0x120\\n   ? __slab_free+0x223/0x3c0\\n   ? do_error_trap+0x65/0x80\\n   ? __slab_free+0x223/0x3c0\\n   ? exc_invalid_op+0x4e/0x70\\n   ? __slab_free+0x223/0x3c0\\n   ? asm_exc_invalid_op+0x16/0x20\\n   ? __slab_free+0x223/0x3c0\\n   ? extract_hostname+0x5c/0xa0 [cifs]\\n   ? extract_hostname+0x5c/0xa0 [cifs]\\n   ? __kmalloc+0x4b/0x140\\n   __reconnect_target_unlocked+0x3e/0x160 [cifs]\\n   reconnect_dfs_server+0x145/0x430 [cifs]\\n   cifs_handle_standard+0x1ad/0x1d0 [cifs]\\n   cifs_demultiplex_thread+0x592/0x730 [cifs]\\n   ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\\n   kthread+0xdd/0x100\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork+0x29/0x50\\n   \u003c/TASK\u003e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: se corrige la doble liberaci\u00f3n de TCP_Server_Info::hostname Al apagar el servidor en cifs_put_tcp_session(), el hilo cifsd podr\u00eda estar reconect\u00e1ndose a m\u00faltiples objetivos DFS antes de darse cuenta de que deber\u00eda salir del bucle, por lo que @server-\u0026gt;hostname no se puede liberar mientras el hilo cifsd no haya terminado. De lo contrario, puede ocurrir lo siguiente: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff \u0026lt;0f\u0026gt; 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace:  ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-415\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-415\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.14.19\",\"versionEndExcluding\":\"5.15\",\"matchCriteriaId\":\"CC24A46F-AAF0-46A3-9255-D235078D50BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.3\",\"versionEndExcluding\":\"6.6.74\",\"matchCriteriaId\":\"B8FF05FF-1047-4F2A-8C1B-A65DC1A32135\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.11\",\"matchCriteriaId\":\"B7D0DBC3-F63C-4396-8A47-6F3D4FA0556E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A073481-106D-4B15-B4C7-FB0213B8E1D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE491969-75AE-4A6B-9A58-8FC5AF98798F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"93C0660D-7FB8-4FBA-892A-B064BA71E49E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"034C36A6-C481-41F3-AE9A-D116E5BE6895\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"5DFCDFB8-4FD0-465A-9076-D813D78FE51B\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1ea68070338518a1d31ce71e6abfe1b30001b27a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fa2f9906a7b333ba757a7dbae0713d8a5396186e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21673\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T19:52:08.291891Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-415\", \"description\": \"CWE-415 Double Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T15:58:46.265Z\"}}], \"cna\": {\"title\": \"smb: client: fix double free of TCP_Server_Info::hostname\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"7be3248f313930ff3d3436d4e9ddbe9fccc1f541\", \"lessThan\": \"1ea68070338518a1d31ce71e6abfe1b30001b27a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7be3248f313930ff3d3436d4e9ddbe9fccc1f541\", \"lessThan\": \"a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7be3248f313930ff3d3436d4e9ddbe9fccc1f541\", \"lessThan\": \"fa2f9906a7b333ba757a7dbae0713d8a5396186e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"49f933bb3016269dc50074eac5f6033d127644f1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1c35a216ef77db708178ca225d796271f2f60a7a\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/smb/client/connect.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.16\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.16\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.74\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.11\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/smb/client/connect.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/1ea68070338518a1d31ce71e6abfe1b30001b27a\"}, {\"url\": \"https://git.kernel.org/stable/c/a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a\"}, {\"url\": \"https://git.kernel.org/stable/c/fa2f9906a7b333ba757a7dbae0713d8a5396186e\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsmb: client: fix double free of TCP_Server_Info::hostname\\n\\nWhen shutting down the server in cifs_put_tcp_session(), cifsd thread\\nmight be reconnecting to multiple DFS targets before it realizes it\\nshould exit the loop, so @server-\u003ehostname can\u0027t be freed as long as\\ncifsd thread isn\u0027t done.  Otherwise the following can happen:\\n\\n  RIP: 0010:__slab_free+0x223/0x3c0\\n  Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89\\n  1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff \u003c0f\u003e\\n  0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80\\n  RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246\\n  RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068\\n  RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400\\n  RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000\\n  R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500\\n  R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068\\n  FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000)\\n  000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4:\\n  PKRU: 55555554\\n  Call Trace:\\n   \u003cTASK\u003e\\n   ? show_trace_log_lvl+0x1c4/0x2df\\n   ? show_trace_log_lvl+0x1c4/0x2df\\n   ? __reconnect_target_unlocked+0x3e/0x160 [cifs]\\n   ? __die_body.cold+0x8/0xd\\n   ? die+0x2b/0x50\\n   ? do_trap+0xce/0x120\\n   ? __slab_free+0x223/0x3c0\\n   ? do_error_trap+0x65/0x80\\n   ? __slab_free+0x223/0x3c0\\n   ? exc_invalid_op+0x4e/0x70\\n   ? __slab_free+0x223/0x3c0\\n   ? asm_exc_invalid_op+0x16/0x20\\n   ? __slab_free+0x223/0x3c0\\n   ? extract_hostname+0x5c/0xa0 [cifs]\\n   ? extract_hostname+0x5c/0xa0 [cifs]\\n   ? __kmalloc+0x4b/0x140\\n   __reconnect_target_unlocked+0x3e/0x160 [cifs]\\n   reconnect_dfs_server+0x145/0x430 [cifs]\\n   cifs_handle_standard+0x1ad/0x1d0 [cifs]\\n   cifs_demultiplex_thread+0x592/0x730 [cifs]\\n   ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\\n   kthread+0xdd/0x100\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork+0x29/0x50\\n   \u003c/TASK\u003e\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.74\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.11\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"5.14.19\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"5.15.3\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T13:06:14.933Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21673\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-01T19:57:12.012Z\", \"dateReserved\": \"2024-12-29T08:45:45.736Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-01-31T11:25:35.922Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.