CVE-2025-38728
Description
In the Linux kernel, the following vulnerability has been resolved:
smb3: fix for slab out of bounds on mount to ksmbd
With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below):
BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827
CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, BIOS 2.13.1 06/14/2019 Call Trace:
dump_stack_lvl+0x9f/0xf0 print_report+0xd1/0x670 __virt_addr_valid+0x22c/0x430 ? parse_server_interfaces+0x14ee/0x1880 [cifs] ? kasan_complete_mode_report_info+0x2a/0x1f0 ? parse_server_interfaces+0x14ee/0x1880 [cifs] kasan_report+0xd6/0x110 parse_server_interfaces+0x14ee/0x1880 [cifs] __asan_report_load_n_noabort+0x13/0x20 parse_server_interfaces+0x14ee/0x1880 [cifs] ? __pfx_parse_server_interfaces+0x10/0x10 [cifs] ? trace_hardirqs_on+0x51/0x60 SMB3_request_interfaces+0x1ad/0x3f0 [cifs] ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs] ? SMB2_tcon+0x23c/0x15d0 [cifs] smb3_qfs_tcon+0x173/0x2b0 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] ? cifs_get_tcon+0x105d/0x2120 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_get_tcon+0x105d/0x2120 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] cifs_mount_get_tcon+0x369/0xb90 [cifs] ? dfs_cache_find+0xe7/0x150 [cifs] dfs_mount_share+0x985/0x2970 [cifs] ? check_path.constprop.0+0x28/0x50 ? save_trace+0x54/0x370 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? __lock_acquire+0xb82/0x2ba0 ? __kasan_check_write+0x18/0x20 cifs_mount+0xbc/0x9e0 [cifs] ? __pfx_cifs_mount+0x10/0x10 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_setup_cifs_sb+0x29d/0x810 [cifs] cifs_smb3_do_mount+0x263/0x1990 [cifs]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check in parse_server_interfaces() in the Linux kernel's CIFS/SMB3 client causes a slab-out-of-bounds read (KASAN) when mounting to a ksmbd server.
Vulnerability
Description
CVE-2025-38728 is a memory safety vulnerability in the Linux kernel's CIFS/SMB3 client implementation. The bug resides in the parse_server_interfaces() function, which is invoked early during the mount process to a ksmbd server. A missing bounds check on incoming network data allows an attacker-controlled server to trigger a slab-out-of-bounds read of 4 bytes, as confirmed by KASAN reports [description].
Exploitation
The attack surface is the mount operation itself. To exploit this, a remote attacker would need to operate a ksmbd (Samba kernel SMB server) instance that the victim's system connects to. No elevated privileges are required beyond the ability to serve SMB3 share information; the vulnerable code path is reached during the normal client-side mount sequence (cifs_mount_get_tcon > smb3_qfs_tcon > SMB3_request_interfaces > parse_server_interfaces) [description]. The server sends specially crafted interface data that lacks proper length validation, causing the client to read beyond allocated slab memory [description].
Impact
A successful exploit results in a kernel slab-out-of-bounds read, which can leak sensitive kernel memory or, in some configurations, lead to a system crash (denial of service). The KASAN report shows a read of size 4, indicating that an attacker may obtain small amounts of information from adjacent kernel objects [description]. The vulnerability is rated High with a CVSS v3 score of 7.1, reflecting the potential for confidentiality and availability impacts without requiring authentication from the attacker's perspective (the server controls the data).
Mitigation
The Linux kernel community has addressed this bug through a series of stable kernel commits [2][3][4]. Users should apply the latest kernel updates from their distributor. The fix introduces the missing bounds check in parse_server_interfaces() to ensure that the server-provided interface data does not exceed allocated buffers [description]. Affected products include Siemens SIMATIC CN 4100 devices (all versions < V5.0), which list this CVE among those remediated in a future version [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 4.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/7d34ec36abb84fdfb6632a0f2cbda90379ae21fcnvdPatch
- git.kernel.org/stable/c/8de33d4d72e8fae3502ec3850bd7b14e7c7328b6nvdPatch
- git.kernel.org/stable/c/9bdb8e98a0073c73ab3e6c631ec78877ceb64565nvdPatch
- git.kernel.org/stable/c/a0620e1525663edd8c4594f49fb75fe5be4724b0nvdPatch
- git.kernel.org/stable/c/a542f93a123555d09c3ce8bc947f7b56ad8e6463nvdPatch
- git.kernel.org/stable/c/f6eda5b0e8f8123564c5b34f5801d63243032eacnvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories