CVE-2025-38527 [High] | Use-After-Free in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start releasing sb] kill_sb() kill_anon_super() generic_shutdown_super() evict_inodes() dispose_list() evict() destroy_inode() call_rcu(&inode->i_rcu, i_callback) spin_lock(&cinode->open_file_lock) <- OK [later] i_callback() cifs_free_inode() kmem_cache_free(cinode) spin_unlock(&cinode->open_file_lock) <- UAF cifs_done_oplock_break(cinode) <- UAF The issue occurs when umount has already released its reference to the superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this releases the last reference, triggering the immediate cleanup of all inodes under RCU. However, cifs_oplock_break() continues to access the cinode after this point, resulting in use-after-free. Fix this by holding an extra reference to the superblock during the entire oplock break operation. This ensures that the superblock and its inodes remain valid until the oplock break completes.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-08-16	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-08-16

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.9

[email protected]

OS Trackers for CVE-2025-38527

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2025-38527 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5, open 1.	https://security-tracker.debian.org/tracker/CVE-2025-38527
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-38527
`suse`	medium	CVE-2025-38527 severity moderate: SUSE including 542 source package names (2.1.3-6.80:kernel-default-base-6.4.0-35.1.21.12, 2.1.3-7.57:kernel-default-6.4.0-35.1, …), 1025 product×package rows across 200 product lines (Container suse/sl-micro/6.0/base-os-container, Container suse/sl-micro/6.0/kvm-os-container, … (200 product lines)): Fixed 767, Known Affected 231, First Fixed 21, Known Not Affected 6.	https://www.suse.com/security/cve/CVE-2025-38527/
`ubuntu`	medium	CVE-2025-38527 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, released 165, ignored 162, needed 41, not-affected 25, needs-triage 2, pending 2.	https://ubuntu.com/security/CVE-2025-38527

Affected software / configurations for CVE-2025-38527

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 3.16.72, < 3.17	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.9.171, < 4.10	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.14.114, < 4.15	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.19.37, < 4.20	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.0.10, < 5.1	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.1.1, < 5.15.190	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 6.1.147	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.6.100	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.40	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.15.8	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	5.1	cpe:2.3:o:linux:linux_kernel:5.1:-::::::
linux	linux_kernel	5.1	cpe:2.3:o:linux:linux_kernel:5.1:rc6::::::
linux	linux_kernel	5.1	cpe:2.3:o:linux:linux_kernel:5.1:rc7::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc1::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc2::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc3::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc4::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc5::::::
linux	linux_kernel	6.16	cpe:2.3:o:linux:linux_kernel:6.16:rc6::::::
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References for CVE-2025-38527

URL	Tags
https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc	Patch
https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b	Patch
https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995	Patch
https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308	Patch
https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210	Patch
https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	Mailing List Third Party Advisory

URL

CVE-2025-38527 | smb: client: fix use-after-free in cifs_oplock_break

Exploit prediction scoring system (EPSS) score for CVE-2025-38527

Common vulnerability scoring system (CVSS) metrics for CVE-2025-38527

Weakness enumeration for CVE-2025-38527

OS Trackers for CVE-2025-38527

Affected software / configurations for CVE-2025-38527

References for CVE-2025-38527