CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-37924: ksmbd: fix use-after-free in kerberos authentication

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in kerberos authentication

Setting sess->user = NULL was introduced to fix the dangling pointer
created by ksmbd_free_user. However, it is possible another thread could
be operating on the session and make use of sess->user after it has been
passed to ksmbd_free_user but before sess->user is set to NULL.

Classification

CVE ID: CVE-2025-37924

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.15% (probability of being exploited)

EPSS Percentile: 36.68% (scored less or equal to compared to others)

EPSS Date: 2025-06-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-37924
https://git.kernel.org/stable/c/e34a33d5d7e87399af0a138bb32f6a3e95dd83d2
https://git.kernel.org/stable/c/b447463562238428503cfba1c913261047772f90
https://git.kernel.org/stable/c/e18c616718018dfc440e4a2d2b94e28fe91b1861
https://git.kernel.org/stable/c/28c756738af44a404a91b77830d017bb0c525890
https://git.kernel.org/stable/c/e86e9134e1d1c90a960dd57f59ce574d27b9a124

Timeline

2025-05-20 17:40:22 UTC
CVE

ksmbd: fix use-after-free in kerberos authentication