CVE-2025-39975

Root

Cause

In the Linux kernel's CIFS/SMB2 client subsystem, the function smb2_compound_op() contains a bug where the loop that processes each command's response uses incorrect indices when accessing response buffers. This leads to improper handling of command results. The issue is described in the CVE description and the referenced kernel stable commits [1][2].

Attack

Vector

An attacker who can trigger compound SMB2 operations on a system running an affected kernel version may exploit this indexing flaw. If the incorrectly computed index is greater than or equal to MAX_COMPOUND, it can cause out-of-bounds memory accesses. The vulnerability resides in the client-side processing of server responses, so a malicious SMB server or a man-in-the-middle capable of influencing SMB responses could potentially trigger the bug. No authentication is required beyond the ability to initiate SMB compound requests.

Impact

Successful exploitation could lead to memory corruption, system crash (denial of service), or potentially privilege escalation depending on how the out-of-bounds access is leveraged. The improper command result handling may also cause data integrity issues or incorrect file system operations.

Mitigation

The fix is included in the Linux kernel stable tree via commits [1] and [2]. Users should apply the latest kernel updates from their distribution. Affected versions include those prior to the patched commits; the vulnerability was discovered and resolved as part of ongoing kernel maintenance.

References

[1] Kernel stable commit: bfb1e2aad1fecef8320fd71332acde0d53a8d699 [2] Kernel stable commit: 093615fc76063ea08d454ba86677ce64c736e806