CVE-2025-40099

Vulnerability

The parse_dfs_referrals function in the Linux kernel's CIFS (Common Internet File System) client lacks proper input validation when processing replies to FSCTL_DFS_GET_REFERRALS requests. A malicious SMB server can send an invalid reply that is either smaller than the expected struct get_dfs_referral_rsp header or contains a NumberOfReferrals value that is less than the actual count of referral entries in the reply. These malformed inputs can cause the parser to read beyond the bounds of the allocated buffer, leading to an out-of-bounds (OOB) access [1][2].

Exploitation

An attacker must operate a malicious SMB server that the target Linux client connects to. No authentication is required; merely triggering a DFS referral request via CIFS is sufficient. The attacker crafts a specially malformed reply, and the kernel's parser reads past the valid data, potentially accessing adjacent memory. This scenario is plausible whenever a Linux system mounts a share from an untrusted or compromised SMB server.

Impact

A successful OOB read can leak sensitive kernel memory or, in more severe cases, cause a kernel panic (denial of service). While the immediate fix prevents OOB access by returning -EINVAL, the underlying issue could have been weaponized for information disclosure or system instability.

Mitigation

The vulnerability is patched in the Linux kernel. Commits [1] and [2] introduce checks to reject replies that are too small or have a mismatched referral count, returning -EINVAL instead of proceeding with the out-of-bounds read. Users should update to a kernel version containing these fixes or apply the backported patches.