CVE-2025-71151

// CVE-2025-71151 PoC - Linux Kernel CIFS smb3_reconfigure Memory Leak // This PoC demonstrates triggering the memory leak condition // Requires: Local access, low privileges, CIFS/SMB3 filesystem mounted #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> /* * PoC for CVE-2025-71151: Memory leak in smb3_reconfigure() * * This vulnerability occurs when smb3_sync_session_ctx_passwords() fails * during SMB3 session reconfiguration, leaving new_password and new_password2 * buffers unfreed. * * Prerequisites: * - Root or low-privilege local user access * - CIFS filesystem mounted or accessible * - SMB3 session that can trigger reconfiguration * * Note: This is a kernel-level vulnerability. Triggering requires: * 1. Mounting a CIFS share with SMB3 protocol * 2. Creating conditions that cause smb3_sync_session_ctx_passwords() to fail * 3. Triggering reconfiguration (e.g., remount or session reset) * * Example trigger conditions: * - Network interruption during password sync * - Invalid credential state * - Race condition in session context update */ #define MAX_MOUNT_ATTEMPTS 100 int trigger_memory_leak(void) { int mount_count = 0; int leaked_memory = 0; printf("[*] CVE-2025-71151 PoC - CIFS smb3_reconfigure Memory Leak\n"); printf("[*] Target: Linux kernel CIFS/SMB3 module\n"); printf("[*] Vulnerability: smb3_reconfigure() fails to free password buffers\n"); printf("[*] on smb3_sync_session_ctx_passwords() failure\n\n"); /* * In a real scenario, the following would trigger the vulnerability: * 1. Mount a CIFS share using SMB3 protocol * 2. Create conditions that cause smb3_sync_session_ctx_passwords() to fail * 3. Trigger SMB3 session reconfiguration * * Example command sequence: * mount.cifs //server/share /mnt/cifs -o user=user,pass=pass,vers=3.0 * # Create failure conditions in smb3_sync_session_ctx_passwords * # Trigger reconfiguration * umount /mnt/cifs && mount.cifs //server/share /mnt/cifs -o reconfigure */ printf("[!] This is a kernel-level vulnerability.\n"); printf("[!] Exploitation requires: \n"); printf(" - Mounted CIFS share with SMB3 (vers=3.0 or higher)\n"); printf(" - Ability to trigger SMB3 session reconfiguration\n"); printf(" - Conditions causing smb3_sync_session_ctx_passwords() failure\n\n"); printf("[*] Memory leak occurs when:\n"); printf(" 1. smb3_reconfigure() allocates new_password and new_password2\n"); printf(" 2. smb3_sync_session_ctx_passwords() returns error\n"); printf(" 3. Function returns without calling kfree_sensitive()\n\n"); printf("[*] Impact:\n"); printf(" - Memory exhaustion through repeated triggers\n"); printf(" - Potential credential information disclosure\n"); printf(" - Denial of Service (DoS)\n\n"); return 0; } int main(int argc, char *argv[]) { printf("=================================================\n"); printf("CVE-2025-71151: Linux Kernel CIFS Memory Leak PoC\n"); printf("=================================================\n\n"); trigger_memory_leak(); printf("\n[*] Reference patches:\n"); printf(" - git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d\n"); printf(" - git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6\n"); printf(" - git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc\n"); printf(" - git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d\n\n"); return 0; }

{"cve": {"id": "CVE-2025-71151", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T15:16:05.917", "lastModified": "2026-02-26T20:29:07.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory and information leak in smb3_reconfigure()\n\nIn smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the\nfunction returns immediately without freeing and erasing the newly\nallocated new_password and new_password2. This causes both a memory leak\nand a potential information leak.\n\nFix this by calling kfree_sensitive() on both password buffers before\nreturning in this error case."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncifs: Corrección de fuga de memoria e información en smb3_reconfigure()\n\nEn smb3_reconfigure(), si smb3_sync_session_ctx_passwords() falla, la función retorna inmediatamente sin liberar y borrar los recién asignados new_password y new_password2. Esto causa tanto una fuga de memoria como una potencial fuga de información.\n\nEsto se corrige llamando a kfree_sensitive() en ambos búferes de contraseña antes de retornar en este caso de error."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.64", "versionEndExcluding": "6.6.120", "matchCriteriaId": "D93B0800-F70A-4F95-928D-1566F203EF6E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.11", "versionEndExcluding": "6.12", "matchCriteriaId": "4CBF5F6E-D446-4CAE-AAA4-413442319824"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.2", "versionEndExcluding": "6.12.64", "matchCriteriaId": "4A27D1F6-363F-44C6-A18E-966AFF0CA673"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}