{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-37778", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.940Z", "datePublished": "2025-05-01T13:07:16.472Z", "dateUpdated": "2026-05-11T21:14:58.124Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:14:58.124Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix dangling pointer in krb_authenticate\n\nkrb_authenticate frees sess->user and does not set the pointer\nto NULL. It calls ksmbd_krb5_authenticate to reinitialise\nsess->user but that function may return without doing so. If\nthat happens then smb2_sess_setup, which calls krb_authenticate,\nwill be accessing free'd memory when it later uses sess->user."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "b61f04d5d73c53d183019bafe22fb700a739bac5", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "d5b554bc8d554ed6ddf443d3db2fad9f665cec10", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "1db2451de23e98bc864c6a6e52aa0d82c91cb325", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "6e30c0e10210c714f3d4453dc258d4abcc70364e", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "e83e39a5f6a01a81411a4558a59a10f87aa88dd6", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "1e440d5b25b7efccb3defe542a73c51005799a5f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/smb2pdu.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.135", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.88", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.25", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.4", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.25"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.14.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b61f04d5d73c53d183019bafe22fb700a739bac5"}, {"url": "https://git.kernel.org/stable/c/d5b554bc8d554ed6ddf443d3db2fad9f665cec10"}, {"url": "https://git.kernel.org/stable/c/1db2451de23e98bc864c6a6e52aa0d82c91cb325"}, {"url": "https://git.kernel.org/stable/c/6e30c0e10210c714f3d4453dc258d4abcc70364e"}, {"url": "https://git.kernel.org/stable/c/e83e39a5f6a01a81411a4558a59a10f87aa88dd6"}, {"url": "https://git.kernel.org/stable/c/1e440d5b25b7efccb3defe542a73c51005799a5f"}], "title": "ksmbd: Fix dangling pointer in krb_authenticate", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:54:55.466Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC280DDC-07A3-4053-8622-2518A4A9B4F2", "versionEndExcluding": "6.1.135", "versionStartIncluding": "5.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E5947E5-45E3-462A-829B-382B3B1C61BD", "versionEndExcluding": "6.6.88", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E59EE65-FA6B-4AE4-8125-26135E28BF35", "versionEndExcluding": "6.12.25", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "29FA1A8E-1C2A-4B0B-B397-2C915ECDEDEE", "versionEndExcluding": "6.14.4", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*", "matchCriteriaId": "4C9D071F-B28E-46EC-AC61-22B913390211", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix dangling pointer in krb_authenticate\n\nkrb_authenticate frees sess->user and does not set the pointer\nto NULL. It calls ksmbd_krb5_authenticate to reinitialise\nsess->user but that function may return without doing so. If\nthat happens then smb2_sess_setup, which calls krb_authenticate,\nwill be accessing free'd memory when it later uses sess->user."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ksmbd: Se corrige el puntero colgante en krb_authenticate. krb_authenticate libera sess->user y no establece el puntero en NULL. Llama a ksmbd_krb5_authenticate para reinicializar sess->user, pero es posible que esta funci\u00f3n no lo retorne. Si esto ocurre, smb2_sess_setup, que llama a krb_authenticate, acceder\u00e1 a la memoria liberada cuando utilice posteriormente sess->user."}], "id": "CVE-2025-37778", "lastModified": "2026-04-18T09:16:09.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-01T14:15:41.617", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1db2451de23e98bc864c6a6e52aa0d82c91cb325"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1e440d5b25b7efccb3defe542a73c51005799a5f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6e30c0e10210c714f3d4453dc258d4abcc70364e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b61f04d5d73c53d183019bafe22fb700a739bac5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d5b554bc8d554ed6ddf443d3db2fad9f665cec10"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e83e39a5f6a01a81411a4558a59a10f87aa88dd6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ksmbd: Fix dangling pointer in krb_authenticate", "id": "2363331", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363331"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nksmbd: Fix dangling pointer in krb_authenticate\nkrb_authenticate frees sess->user and does not set the pointer\nto NULL. It calls ksmbd_krb5_authenticate to reinitialise\nsess->user but that function may return without doing so. If\nthat happens then smb2_sess_setup, which calls krb_authenticate,\nwill be accessing free'd memory when it later uses sess->user."], "name": "CVE-2025-37778", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-37778\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37778\nhttps://lore.kernel.org/linux-cve-announce/2025050116-CVE-2025-37778-7202@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T15:34:05.331556+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to the latest stable version that contains the patch (e.g., kernel 6.15.3 or newer).", "If a kernel upgrade cannot be performed immediately, disable SMB2/Kerberos authentication in the SMB configuration to eliminate the code path that exercises the vulnerable function.", "After applying the upgrade or configuration change, restart the SMB service to ensure the patch takes effect and monitor logs for any access\u2011after\u2011free errors or crashes."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free leading to potential Remote Code Execution or Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linux kernel shipped with Debian 11 and all Linux kernel releases up to and including the 6.15 release candidates (RC1 and RC2). All distributions carrying those kernel versions are potentially impacted until the patch is applied.", "description_and_impact": "In the Linux kernel, the krb_authenticate function frees session user data without nulling the pointer and may not reinitialize the pointer when reauthentication occurs. Subsequent SMB2 session setup functions then reference the freed memory, creating a use\u2011after\u2011free condition. The affected code may allow an attacker to trigger memory corruption that can lead to denial of service or arbitrary code execution, a classic CWE\u2011416 vulnerability.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high impact, and the EPSS score of less than 1% suggests low but non\u2011zero likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can likely exploit the flaw remotely by sending crafted SMB/Kerberos requests, as the code path is reachable from network traffic.\n"}}}}, "created": "2026-04-20T15:45:10.394873+00:00", "updated": "2026-04-20T15:45:10.394891+00:00", "vendors": []}