CVE-2025-40039

MEDIUM EPSS 2.5%
Published Oct 28, 20258mo ago · Modified Jun 17, 20261w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Oct 28, 2025 8mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix race condition in RPC handle list access The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd session. Access to this list is intended to be protected by 'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was flawed, leading to potential race conditions. In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock before calling xa_store() and xa_erase(). Since these operations modify the XArray structure, a write lock is required to ensure exclusive access and prevent data corruption from concurrent modifications. Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load() without holding any lock at all. This could lead to reading inconsistent data or a potential use-after-free if an entry is concurrently removed and the pointer is dereferenced. Fix these issues by: 1. Using down_write() and up_write() in ksmbd_session_rpc_open() to ensure exclusive access during XArray modification, and ensuring the lock is correctly released on error paths. 2. Adding down_read() and up_read() in ksmbd_session_rpc_method() to safely protect the lookup.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-362

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥5.15.145  –  <5.16
linuxlinux_kernel*≥6.1.71  –  <6.2
linuxlinux_kernel*≥6.3  –  <6.6.123
linuxlinux_kernel*≥6.7  –  <6.12.53
linuxlinux_kernel*≥6.13  –  <6.17.3

References 5

  • git.kernel.org https://git.kernel.org/stable/c/305853cce379407090a73b38c5de5ba748893aee
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5cc679ba0f4505936124cd4179ba66bb0a4bd9f3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/69674b029002b1d90b655f014bdf64f404efa54d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6b615a8fb3af0baf8126cde3d4fee97d57222ffc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/305853cce379407090a73b38c5de5ba748893aee
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5cc679ba0f4505936124cd4179ba66bb0a4bd9f3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/69674b029002b1d90b655f014bdf64f404efa54d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6b615a8fb3af0baf8126cde3d4fee97d57222ffc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1
    Patch