High severity7.5OSV Advisory· Published Sep 25, 2025· Updated Apr 15, 2026

CVE-2025-57632

Description

libsmb2 6.2+ is vulnerable to Buffer Overflow. When processing SMB2 chained PDUs (NextCommand), libsmb2 repeatedly calls smb2_add_iovector() to append to a fixed-size iovec array without checking the upper bound of v->niov (SMB2_MAX_VECTORS=256). An attacker can craft responses with many chained PDUs to overflow v->niov and perform heap out-of-bounds writes, causing memory corruption, crashes, and potentially arbitrary code execution. The SMB2_OPLOCK_BREAK path bypasses message ID validation.

Affected products

Sahlberg/Libsmb2OSV
Range: libsmb2-1.0, libsmb2-6.0, libsmb2-6.1, …

Patches

5e75eebf922b

[Security]: fix OOB write in smb2_add_iovector via chained PDUs

https://github.com/sahlberg/libsmb2ZjW1ndAug 18, 2025via osv

commit

1 file changed · +5 −1

lib/init.c+5 −1 modified

@@ -431,7 +431,11 @@ struct smb2_iovec *smb2_add_iovector(struct smb2_context *smb2,
                                      void (*free)(void *))
 {
         struct smb2_iovec *iov = &v->iov[v->niov];
-
+        // Add bounds checking
+        if (v->niov >= SMB2_MAX_VECTORS) {
+            smb2_set_error(smb2, "Too many I/O vectors");
+            return (struct smb2_iovec*) &v->iov[SMB2_MAX_VECTORS - 1]; // We dont return NULL to prevent null point deref.
+        }                                                              // I chose the simplest solution here, it can be treated more elegantly.
         v->iov[v->niov].buf = buf;
         v->iov[v->niov].len = len;
         v->iov[v->niov].free = free;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000