CVE-2025-38575
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: use aead_request_free to match aead_request_alloc Use aead_request_free() instead of kfree() to properly free memory allocated by aead_request_alloc(). This ensures sensitive crypto data is zeroed before being freed.
Analysis
A memory management vulnerability exists in the Linux kernel's ksmbd (SMB server) component where the aead_request_alloc() function is paired with kfree() instead of the proper aead_request_free() deallocation function. This vulnerability affects all Linux kernel versions with ksmbd support, particularly impacting Debian 11 systems and other distributions shipping vulnerable kernels. While the CVSS score of 5.5 indicates moderate severity with local denial-of-service potential, the EPSS score of 0.11% (30th percentile) suggests this is not actively exploited in the wild, though the vulnerability enables information disclosure through improper memory zeroing of sensitive cryptographic data.
Technical Context
The vulnerability resides in the ksmbd (kernel SMB daemon) subsystem of the Linux kernel, which implements SMB/CIFS protocol support. The root cause is a resource management error (improper cleanup of cryptographic objects) where memory allocated via aead_request_alloc()—a function from the Linux crypto API used for authenticated encryption with associated data (AEAD)—is incorrectly freed using the generic kfree() function instead of the crypto-aware aead_request_free() function. The aead_request_free() function is specifically designed to properly zero sensitive cryptographic material before releasing memory, preventing potential information disclosure. This violates the principle of proper API pairing and represents a use-after-free/improper cleanup pattern. Affected products include all Linux kernel versions (cpe:2.3:o:linux:linux_kernel) and Debian GNU/Linux 11.0 (cpe:2.3:o:debian:debian_linux:11.0). The CWE classification is not explicitly provided but falls under improper resource cleanup and sensitive data exposure categories.
Affected Products
The Linux kernel across all versions implementing the ksmbd SMB server component is affected, as indicated by multiple cpe:2.3:o:linux:linux_kernel entries. Debian GNU/Linux 11.0 (cpe:2.3:o:debian:debian_linux:11.0) is explicitly listed as affected. The vulnerability has been resolved via patches available at the Linux kernel stable tree (https://git.kernel.org/stable) with commits 1de7fec4d3012672e31eeb6679ea60f7ca010ef9, 3e341dbd5f5a6e5a558e67da80731dc38a7f758c, 46caeae23035192b9cc41872c827f30d0233f16e, 571b342d4688801fc1f6a1934389dac09425dc93, 6171063e9d046ffa46f51579b2ca4a43caef581a, a6b594868268c3a7bfaeced912525cd2c445529a, and aef10ccd74512c52e30c5ee19d0031850973e78d. Debian has published a security advisory at https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html detailing the fix for Debian 11 LTS.
Remediation
Apply the available kernel patches from the Linux stable tree immediately using your distribution's standard update mechanism. For Debian 11 users, execute apt-get update && apt-get upgrade to incorporate the ksmbd fix referenced in the Debian LTS advisory (https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html). For other distributions, check your vendor's security advisory for patched kernel versions and apply them. If immediate patching is not possible, restrict local shell access to trusted accounts only, as this vulnerability requires local-level privileges (PR:L in CVSS vector). Kernel module loading restrictions (via modprobe blacklist or SELinux) can provide temporary containment if ksmbd is not required. Systems that do not expose SMB shares to untrusted local users face minimal real-world risk and may defer patching to a scheduled maintenance window due to the low EPSS score.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today