CVE-2025-40320
Description
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential cfid UAF in smb2_query_info_compound
When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free.
Reinitialize cfid to NULL under the replay label.
Example trace (trimmed):
refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace:
smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in Linux kernel's SMB client can be triggered when smb2_query_info_compound retries without resetting a previously freed cfid pointer.
The vulnerability resides in the Linux kernel's CIFS/SMB client, specifically in the smb2_query_info_compound function. When the function retries its operation (e.g., due to a transient failure) via the replay label, it fails to reset the cached file identifier (cfid) pointer to NULL. If the first attempt allocated and subsequently freed a cfid structure, the retry path will operate on a stale pointer, leading to a use-after-free condition. This is evidenced by a kernel refcount underflow warning and a stack trace showing the smb2_query_info_compound function calling into the refcount subsystem [1].
The attack surface for exploitation is local, requiring an attacker to have the ability to mount a CIFS/SMB share and trigger file system operations that call smb2_query_info_compound, such as statfs(). The attacker must be able to cause the function's first attempt to fail and then succeed on a retry, which is a realistic scenario on unreliable networks or with crafted SMB server responses. No additional authentication beyond that needed to mount the share is required; the vulnerability can be triggered by a regular user accessing the mounted filesystem.
If successfully exploited, an attacker could cause a denial of service (system crash) due to memory corruption, or potentially escalate privileges if the freed memory is reallocated and controlled by the attacker. The most likely impact is a kernel panic, as seen in the trace with a warning and potential system instability.
The fix is included in the Linux kernel stable branch, commit 939c4e2a56ea8fcedddf0da92df864bd3b, which reinitializes cfid to NULL under the replay label. Users should apply this patch or update to a kernel version containing it. There is no public evidence of active exploitation or inclusion in the CISA KEV catalog at this time.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4939c4e33005e327f89c21601b556c278d43f5c76f9961c17Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.