CVE-2025-38523
📋 TL;DR
This CVE is a Linux kernel vulnerability in the CIFS/SMB Direct client code where the smbd_response slab isn't properly marked for usercopy operations. When CONFIG_HARDENED_USERCOPY is enabled, this causes kernel oopses/panics during SMB file operations. It affects Linux systems using CIFS/SMB Direct with hardened usercopy protection enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially disrupting file operations and system availability.
Likely Case
System crashes or hangs during SMB file operations when hardened usercopy is enabled, causing service disruption.
If Mitigated
No impact if CONFIG_HARDENED_USERCOPY is disabled or the system doesn't use CIFS/SMB Direct.
🎯 Exploit Status
Exploitation requires triggering SMB operations on a system with hardened usercopy enabled. This appears to be a reliability/DoS issue rather than a privilege escalation or data corruption vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel trees (commits: 43e7e284fc77b710d899569360ea46fa3374ae22, 87dcc7e33fc3dcb8ed32333cec016528b5bb6ce4, f0dd353d47f7051afa98c6c60c7486831eb1a410)
Vendor Advisory: https://git.kernel.org/stable/c/43e7e284fc77b710d899569360ea46fa3374ae22
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution vendor. 2. Rebuild kernel if using custom kernel with the patch applied. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable hardened usercopy
LinuxDisable CONFIG_HARDENED_USERCOPY in kernel configuration (reduces security hardening)
Rebuild kernel with CONFIG_HARDENED_USERCOPY=n
Disable SMB Direct
LinuxDisable RDMA/SMB Direct functionality in CIFS mounts
Use 'rdma=0' option in CIFS mount commands
🧯 If You Can't Patch
- Disable SMB Direct by using 'rdma=0' in all CIFS mount configurations
- Monitor systems for kernel panic logs related to usercopy and smbd_response
🔍 How to Verify
Check if Vulnerable:
Check kernel config for CONFIG_HARDENED_USERCOPY=y and verify CIFS/SMB Direct is in use. Check kernel logs for usercopy errors related to smbd_response.Check Version:
uname -rVerify Fix Applied:
Check kernel version includes the fix commits or is newer than patched versions. Verify no usercopy errors appear in kernel logs during SMB operations.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages with 'usercopy: Kernel memory exposure attempt detected from SLUB object smbd_response'
- CIFS/SMB error logs during file operations
Network Indicators:
- SMB/RDMA traffic patterns that trigger the condition
SIEM Query:
kernel.panic OR "usercopy" AND "smbd_response" OR "CIFS: VFS: RDMA transport established"