{"id":"CVE-2025-68263","summary":"ksmbd: ipc: fix use-after-free in ipc_msg_send_request","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: ipc: fix use-after-free in ipc_msg_send_request\n\nipc_msg_send_request() waits for a generic netlink reply using an\nipc_msg_table_entry on the stack. The generic netlink handler\n(handle_generic_event()/handle_response()) fills entry-\u003eresponse under\nipc_msg_table_lock, but ipc_msg_send_request() used to validate and free\nentry-\u003eresponse without holding the same lock.\n\nUnder high concurrency this allows a race where handle_response() is\ncopying data into entry-\u003eresponse while ipc_msg_send_request() has just\nfreed it, leading to a slab-use-after-free reported by KASAN in\nhandle_generic_event():\n\n  BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]\n  Write of size 12 at addr ffff888198ee6e20 by task pool/109349\n  ...\n  Freed by task:\n    kvfree\n    ipc_msg_send_request [ksmbd]\n    ksmbd_rpc_open -\u003e ksmbd_session_rpc_open [ksmbd]\n\nFix by:\n- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating\n  entry-\u003eresponse, freeing it when invalid, and removing the entry from\n  ipc_msg_table.\n- Returning the final entry-\u003eresponse pointer to the caller only after\n  the hash entry is removed under the lock.\n- Returning NULL in the error path, preserving the original API\n  semantics.\n\nThis makes all accesses to entry-\u003eresponse consistent with\nhandle_response(), which already updates and fills the response buffer\nunder ipc_msg_table_lock, and closes the race that allowed the UAF.","modified":"2026-04-02T13:03:29.597914Z","published":"2025-12-16T14:45:05.218Z","related":["openSUSE-SU-2025:15836-1","openSUSE-SU-2026:10301-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68263.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460"},{"type":"WEB","url":"https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68263.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68263"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0626e6641f6b467447c81dd7678a69c66f7746cf"},{"fixed":"de85fb58f9967ba024bb08e0041613d37b57b4d1"},{"fixed":"708a620b471a14466f1f52c90bf3f65ebdb31460"},{"fixed":"5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e"},{"fixed":"759c8c30cfa8706c518e56f67971b1f0932f4b9b"},{"fixed":"8229c6ca50cea701e25a7ee25f48441b582ec5fa"},{"fixed":"1fab1fa091f5aa97265648b53ea031deedd26235"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68263.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.62"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.12"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.18.0"},{"fixed":"6.18.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68263.json"}}],"schema_version":"1.7.5"}