{"id":"CVE-2025-38488","summary":"smb: client: fix use-after-free in crypt_message when using async crypto","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in crypt_message when using async crypto\n\nThe CVE-2024-50047 fix removed asynchronous crypto handling from\ncrypt_message(), assuming all crypto operations are synchronous.\nHowever, when hardware crypto accelerators are used, this can cause\nuse-after-free crashes:\n\n  crypt_message()\n    // Allocate the creq buffer containing the req\n    creq = smb2_get_aead_req(..., &req);\n\n    // Async encryption returns -EINPROGRESS immediately\n    rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);\n\n    // Free creq while async operation is still in progress\n    kvfree_sensitive(creq, ...);\n\nHardware crypto modules often implement async AEAD operations for\nperformance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,\nthe operation completes asynchronously. Without crypto_wait_req(),\nthe function immediately frees the request buffer, leading to crashes\nwhen the driver later accesses the freed memory.\n\nThis results in a use-after-free condition when the hardware crypto\ndriver later accesses the freed request structure, leading to kernel\ncrashes with NULL pointer dereferences.\n\nThe issue occurs because crypto_alloc_aead() with mask=0 doesn't\nguarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in\nthe mask, async implementations can be selected.\n\nFix by restoring the async crypto handling:\n- DECLARE_CRYPTO_WAIT(wait) for completion tracking\n- aead_request_set_callback() for async completion notification\n- crypto_wait_req() to wait for operation completion\n\nThis ensures the request buffer isn't freed until the crypto operation\ncompletes, whether synchronous or asynchronous, while preserving the\nCVE-2024-50047 fix.","modified":"2026-04-16T04:31:25.487695255Z","published":"2025-07-28T11:21:52.085Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03601-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03613-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03615-1","SUSE-SU-2025:03626-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3725-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:3761-1","SUSE-SU-2026:0939-1","SUSE-SU-2026:0940-1","SUSE-SU-2026:0941-1","SUSE-SU-2026:0951-1","SUSE-SU-2026:0953-1","SUSE-SU-2026:0954-1","SUSE-SU-2026:0958-1","SUSE-SU-2026:0983-1","SUSE-SU-2026:0985-1","SUSE-SU-2026:0992-1","SUSE-SU-2026:1000-1","SUSE-SU-2026:1002-1","SUSE-SU-2026:1039-1","SUSE-SU-2026:1044-1","SUSE-SU-2026:1046-1","SUSE-SU-2026:1049-1","SUSE-SU-2026:1073-1","SUSE-SU-2026:1083-1","SUSE-SU-2026:1088-1","SUSE-SU-2026:1089-1","SUSE-SU-2026:1096-1","SUSE-SU-2026:1101-1","SUSE-SU-2026:1125-1","SUSE-SU-2026:1132-1","SUSE-SU-2026:20831-1","SUSE-SU-2026:20841-1","SUSE-SU-2026:20847-1","SUSE-SU-2026:20848-1","SUSE-SU-2026:20849-1","SUSE-SU-2026:20850-1","SUSE-SU-2026:20851-1","SUSE-SU-2026:20852-1","SUSE-SU-2026:20853-1","SUSE-SU-2026:20854-1","SUSE-SU-2026:20857-1","SUSE-SU-2026:20858-1","SUSE-SU-2026:20859-1","SUSE-SU-2026:20860-1","SUSE-SU-2026:20861-1","SUSE-SU-2026:20862-1","SUSE-SU-2026:20863-1","SUSE-SU-2026:20880-1","SUSE-SU-2026:20881-1","SUSE-SU-2026:20882-1","SUSE-SU-2026:20883-1","SUSE-SU-2026:20884-1","SUSE-SU-2026:20885-1","SUSE-SU-2026:20886-1","SUSE-SU-2026:20891-1","SUSE-SU-2026:20892-1","SUSE-SU-2026:20893-1","SUSE-SU-2026:20894-1","SUSE-SU-2026:20895-1","SUSE-SU-2026:20896-1","SUSE-SU-2026:20897-1","SUSE-SU-2026:20898-1","SUSE-SU-2026:20946-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38488.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/15a0a5de49507062bc3be4014a403d8cea5533de"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2a76bc2b24ed889a689fb1c9015307bf16aafb5b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5d047b12f86cc3b9fde1171c02d9bccf4dba0632"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6550b2bef095d0dd2d2c8390d2ea4c3837028833"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ac90f6824fc44d2e55a82503ddfc95defb19ae0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a1d3e8d40f151c2d5a5f40c410e6e433f62f438"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b220bed63330c0e1733dc06ea8e75d5b9962b6b6"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38488.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38488"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8f14a476abba13144df5434871a7225fd29af633"},{"fixed":"5d047b12f86cc3b9fde1171c02d9bccf4dba0632"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ef51c0d544b1518b35364480317ab6d3468f205d"},{"fixed":"6550b2bef095d0dd2d2c8390d2ea4c3837028833"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bce966530fd5542bbb422cb45ecb775f7a1a6bc3"},{"fixed":"9a1d3e8d40f151c2d5a5f40c410e6e433f62f438"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0809fb86ad13b29e1d6d491364fc7ea4fb545995"},{"fixed":"15a0a5de49507062bc3be4014a403d8cea5533de"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b0abcd65ec545701b8793e12bc27dc98042b151a"},{"fixed":"2a76bc2b24ed889a689fb1c9015307bf16aafb5b"},{"fixed":"8ac90f6824fc44d2e55a82503ddfc95defb19ae0"},{"fixed":"b220bed63330c0e1733dc06ea8e75d5b9962b6b6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"538c26d9bf70c90edc460d18c81008a4e555925a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38488.json"}}],"schema_version":"1.7.5"}