{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68263", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-16T13:41:40.267Z", "datePublished": "2025-12-16T14:45:05.218Z", "dateUpdated": "2026-05-11T21:49:59.480Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:49:59.480Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: ipc: fix use-after-free in ipc_msg_send_request\n\nipc_msg_send_request() waits for a generic netlink reply using an\nipc_msg_table_entry on the stack. The generic netlink handler\n(handle_generic_event()/handle_response()) fills entry->response under\nipc_msg_table_lock, but ipc_msg_send_request() used to validate and free\nentry->response without holding the same lock.\n\nUnder high concurrency this allows a race where handle_response() is\ncopying data into entry->response while ipc_msg_send_request() has just\nfreed it, leading to a slab-use-after-free reported by KASAN in\nhandle_generic_event():\n\n BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]\n Write of size 12 at addr ffff888198ee6e20 by task pool/109349\n ...\n Freed by task:\n kvfree\n ipc_msg_send_request [ksmbd]\n ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]\n\nFix by:\n- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating\n entry->response, freeing it when invalid, and removing the entry from\n ipc_msg_table.\n- Returning the final entry->response pointer to the caller only after\n the hash entry is removed under the lock.\n- Returning NULL in the error path, preserving the original API\n semantics.\n\nThis makes all accesses to entry->response consistent with\nhandle_response(), which already updates and fills the response buffer\nunder ipc_msg_table_lock, and closes the race that allowed the UAF."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_ipc.c"], "versions": [{"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "de85fb58f9967ba024bb08e0041613d37b57b4d1", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "708a620b471a14466f1f52c90bf3f65ebdb31460", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "759c8c30cfa8706c518e56f67971b1f0932f4b9b", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "8229c6ca50cea701e25a7ee25f48441b582ec5fa", "status": "affected", "versionType": "git"}, {"version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "lessThan": "1fab1fa091f5aa97265648b53ea031deedd26235", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/smb/server/transport_ipc.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.160", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.120", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.62", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.12", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.1", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.160"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.62"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.17.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1"}, {"url": "https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460"}, {"url": "https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e"}, {"url": "https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b"}, {"url": "https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa"}, {"url": "https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235"}], "title": "ksmbd: ipc: fix use-after-free in ipc_msg_send_request", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: ipc: fix use-after-free in ipc_msg_send_request\n\nipc_msg_send_request() waits for a generic netlink reply using an\nipc_msg_table_entry on the stack. The generic netlink handler\n(handle_generic_event()/handle_response()) fills entry->response under\nipc_msg_table_lock, but ipc_msg_send_request() used to validate and free\nentry->response without holding the same lock.\n\nUnder high concurrency this allows a race where handle_response() is\ncopying data into entry->response while ipc_msg_send_request() has just\nfreed it, leading to a slab-use-after-free reported by KASAN in\nhandle_generic_event():\n\n BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]\n Write of size 12 at addr ffff888198ee6e20 by task pool/109349\n ...\n Freed by task:\n kvfree\n ipc_msg_send_request [ksmbd]\n ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]\n\nFix by:\n- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating\n entry->response, freeing it when invalid, and removing the entry from\n ipc_msg_table.\n- Returning the final entry->response pointer to the caller only after\n the hash entry is removed under the lock.\n- Returning NULL in the error path, preserving the original API\n semantics.\n\nThis makes all accesses to entry->response consistent with\nhandle_response(), which already updates and fills the response buffer\nunder ipc_msg_table_lock, and closes the race that allowed the UAF."}], "id": "CVE-2025-68263", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2025-12-16T15:15:55.813", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: ksmbd: ipc: fix use-after-free in ipc_msg_send_request", "id": "2422748", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2422748"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2025-68263", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68263\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68263\nhttps://lore.kernel.org/linux-cve-announce/2025121615-CVE-2025-68263-9c03@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-28T18:31:05.499407+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the ksmbd IPC use\u2011after\u2011free fix (CVE\u20112025\u201168263).", "If an immediate kernel upgrade is not feasible, stop or disable the ksmbd service to remove the attack surface.", "As an additional precaution, restrict network access to the host\u2019s SMB ports to trusted networks only."], "summary": {"action": "Immediate patch", "impact": "Use\u2011After\u2011Free in ksmbd IPC leading to kernel memory corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that contain the ksmbd user\u2011space facility. The CVE applies to any system running the Linux kernel with ksmbd enabled; no specific version range is listed, so any kernel before the patch that reverts this race is vulnerable. All vendors shipping the stock kernel should be considered impacted.", "description_and_impact": "A race condition in the Linux kernel\u2019s ksmbd IPC implementation allows an attacker to trigger a use\u2011after\u2011free during concurrent message processing. ipc_msg_send_request waits for a generic netlink reply using a stack\u2011allocated entry, while the handler handle_response fills entry->response without holding the same lock. Under high concurrency the handler may copy data into entry->response while ipc_msg_send_request has freed it, causing a slab\u2011use\u2011after\u2011free reported by KASAN. This leads to kernel memory corruption. Based on the use\u2011after\u2011free, it is inferred that an attacker could potentially execute arbitrary code in kernel context, although the CVE description does not explicitly state such exploitation.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity. EPSS is below 1\u202f%, suggesting a low probability of real\u2011world exploitation at present. The vulnerability is not listed in CISA KEV, implying no publicly known exploits yet. The likely attack vector is inferred to be network\u2011based via SMB traffic to a host with ksmbd enabled. Exploiting the race condition may require a sustained or coordinated burst of messages; the specific prerequisites are not detailed in the description and are inferred."}}}}, "created": "2026-04-28T18:45:15.966289+00:00", "updated": "2026-04-28T18:45:15.966338+00:00", "vendors": [], "weaknesses": ["CWE-416"]}