CVE-2025-40103

Vulnerability

Description

The Linux kernel's SMB client implementation contains a reference count leak vulnerability in the cifs_sb_tlink function. According to the official CVE description, the comments for cifs_sb_tlink explicitly state that cifs_put_tlink() must be called after a successful cifs_sb_tlink() call. However, three call sites fail to perform this cleanup, causing the reference count to remain elevated and resulting in resource leaks.

Attack

Vector and Prerequisites

An attacker can trigger the vulnerable code paths through normal SMB filesystem operations. The attack requires network access to a CIFS/SMB share and the ability to initiate operations that invoke the three affected call sites. No special privileges beyond standard file system access are needed, though the attacker must be able to cause repeated calls to these functions to maximize the leak.

Impact

Successful exploitation leads to a gradual memory leak in the kernel, as the unreleased references consume kernel memory over time. In a worst-case scenario, an attacker could exhaust system memory, potentially causing a denial of service (DoS) condition by crashing the system or making it unresponsive.

Mitigation

Patches addressing this issue have been committed to the Linux kernel stable trees. Users should update their kernel to the latest stable version that includes the fix. There is no known workaround other than applying the patch or disabling SMB client functionality if not needed.