CVE-2025-71153

// CVE-2025-71153 PoC - Memory leak trigger in ksmbd get_file_all_info() // This PoC demonstrates the memory leak condition #include <stdio.h> #include <stdlib.h> #include <string.h> // Simulated vulnerable code structure struct file_info { char *filename; int fd; }; // Vulnerable function - get_file_all_info() int get_file_all_info(const char *path) { struct file_info *info = malloc(sizeof(struct file_info)); if (!info) return -1; // Allocate filename memory info->filename = malloc(256); if (!info->filename) { free(info); return -1; } strncpy(info->filename, path, 255); info->fd = -1; // Simulate vfs_getattr() failure int ret = -1; // vfs_getattr() fails if (ret != 0) { // BUG: Memory leak here - filename not freed before return // Should be: free(info->filename); free(info); return ret; } // Normal cleanup path (leak doesn't happen here) free(info->filename); free(info); return 0; } // Fixed version int get_file_all_info_fixed(const char *path) { struct file_info *info = malloc(sizeof(struct file_info)); if (!info) return -1; info->filename = malloc(256); if (!info->filename) { free(info); return -1; } strncpy(info->filename, path, 255); info->fd = -1; int ret = -1; if (ret != 0) { // FIX: Free filename before return free(info->filename); free(info); return ret; } free(info->filename); free(info); return 0; } int main() { printf("CVE-2025-71153 Memory Leak PoC\n"); printf("Triggering vulnerable function...\n"); for (int i = 0; i < 1000; i++) { get_file_all_info("/path/to/invalid/file"); } printf("Memory leak triggered - check with valgrind\n"); return 0; }

{"cve": {"id": "CVE-2025-71153", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T15:16:06.193", "lastModified": "2026-02-26T20:30:40.757", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix memory leak in get_file_all_info()\n\nIn get_file_all_info(), if vfs_getattr() fails, the function returns\nimmediately without freeing the allocated filename, leading to a memory\nleak.\n\nFix this by freeing the filename before returning in this error case."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nksmbd: Corrección de fuga de memoria en get_file_all_info()\n\nEn get_file_all_info(), si vfs_getattr() falla, la función retorna inmediatamente sin liberar el nombre de archivo asignado, lo que lleva a una fuga de memoria.\n\nCorrija esto liberando el nombre de archivo antes de retornar en este caso de error."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.24", "versionEndExcluding": "6.6.120", "matchCriteriaId": "0A2278DA-ADE3-4EB9-9D1F-7BEBF2896C3E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.12", "versionEndExcluding": "6.8", "matchCriteriaId": "D6A2C3EC-DA7B-4144-8BAF-2DBB7E8CE4C7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8.3", "versionEndExcluding": "6.12.64", "matchCriteriaId": "85B6A0A3-95B0-4761-9BE1-2CBF7A5C31EA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}