CVE-2025-39819
Description
In the Linux kernel, the following vulnerability has been resolved:
fs/smb: Fix inconsistent refcnt update
A possible inconsistent update of refcount was identified in smb2_compound_op. Such inconsistent update could lead to possible resource leaks.
Why it is a possible bug: 1. In the comment section of the function, it clearly states that the reference to cfile should be dropped after calling this function. 2. Every control flow path would check and drop the reference to cfile, except the patched one. 3. Existing callers would not handle refcount update of cfile if -ENOMEM is returned.
To fix the bug, an extra goto label "out" is added, to make sure that the cleanup logic would always be respected. As the problem is caused by the allocation failure of vars, the cleanup logic between label "finished" and "out" can be safely ignored. According to the definition of function is_replayable_error, the error code of "-ENOMEM" is not recoverable. Therefore, the replay logic also gets ignored.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, an inconsistent reference count update in `smb2_compound_op` can cause resource leaks on memory allocation failure.
Root
Cause
The vulnerability lies in the Linux kernel's SMB client code, specifically in the function smb2_compound_op. The function's contract requires that a reference to the cfile structure be dropped after execution. However, one control flow path—when memory allocation for local variable vars fails—does not perform this cleanup, leading to a reference count inconsistency. This omission can result in a resource leak, as described in the official CVE description.
Attack
Vector and Prerequisites
Exploitation occurs when the kernel is performing a SMB compound operation and a memory allocation failure (returning -ENOMEM) triggers the buggy path. No special authentication or network position is required beyond what is normal for mounting a SMB share; the vulnerability is triggered internally by the kernel's memory management. An attacker cannot directly force a memory allocation failure but could potentially influence it through system resource exhaustion.
Impact
If triggered, the reference to cfile is not properly released, causing a reference count leak. This can lead to resource exhaustion over time, potentially degrading system performance or leading to denial of service. The impact is limited to availability; there is no evidence of privilege escalation or information leakage.
Mitigation
The fix adds a new goto label "out" to ensure cleanup logic is executed even on the -ENOMEM path. The error is not replayable, so replay logic is also skipped. The patch has been applied to the Linux kernel stable tree. Users should update to a kernel version containing commit ab529e6ca1f6 or its backport [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 5.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/3fc11ff13fbc2749871d6ac2141685cf54699997nvdPatch
- git.kernel.org/stable/c/4191ea1f0bb3e27d65c5dcde7bd00e709ec67141nvdPatch
- git.kernel.org/stable/c/4735f5991f51468b85affb8366b7067248457a71nvdPatch
- git.kernel.org/stable/c/ab529e6ca1f67bcf31f3ea80c72bffde2e9e053envdPatch
- git.kernel.org/stable/c/cc82c6dff548f0066a51a6e577c7454e7d26a968nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories