VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 6, 2025· Updated Apr 15, 2026

CVE-2025-40268

CVE-2025-40268

Description

In the Linux kernel, the following vulnerability has been resolved:

cifs: client: fix memory leak in smb3_fs_context_parse_param

The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation.

To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing.

syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444

BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak in Linux kernel CIFS client when fsconfig is called multiple times, allowing local denial of service via repeated mounts.

The vulnerability is a memory leak in the smb3_fs_context_parse_param function of the Linux kernel's CIFS/SMB3 client. When a user calls fsconfig twice without freeing the previously allocated source string (ctx->source or fc->source), the kernel fails to reclaim the memory from the first call, resulting in two leaked 96-byte buffers per double call, as reported by syzbot. [1][2]

To exploit the issue, a local user with permission to configure CIFS mount contexts can repeatedly invoke fsconfig with different parameters, causing the kernel to allocate new source strings each time while the old ones remain unreferenced. No authentication or special privileges beyond the ability to mount CIFS shares are required. The leak is triggered purely by the sequence of system calls.

An attacker could exhaust system memory by triggering a large number of these leaks, leading to a denial of service. Each leak is small (96 bytes), but accumulation over many calls can deplete memory resources, potentially causing system instability or crashes.

The fix, which releases the source memory before each parsing, has been committed to the Linux kernel stable tree. Administrators are advised to apply the corresponding stable kernel update. As of publication, no evidence of exploitation in the wild has been reported. [1][2]

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

4
868fc62811d3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
48c17341577e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4515743cc7a4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e8c73eb7db0a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.