CVE-2025-38728

Q: What is the severity of CVE-2025-38728?

CVE-2025-38728 has a CVSS score of 7.1 (HIGH). A slab out-of-bounds read vulnerability in the Linux kernel's SMB3 implementation allows attackers to read kernel memory during mount operations to ksmbd servers. This affects Linux systems using the cifs/smb3 module with KASAN enabled. The vulnerability can lead to information disclosure and potential system instability.

7.1 HIGH

📋 TL;DR

A slab out-of-bounds read vulnerability in the Linux kernel's SMB3 implementation allows attackers to read kernel memory during mount operations to ksmbd servers. This affects Linux systems using the cifs/smb3 module with KASAN enabled. The vulnerability can lead to information disclosure and potential system instability.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions containing the vulnerable code (specific versions not provided in CVE, but patches exist for stable branches)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Requires KASAN (Kernel Address Sanitizer) enabled to trigger the slab out-of-bounds detection. The vulnerability exists regardless of KASAN, but KASAN makes it detectable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel memory disclosure leading to privilege escalation, system crash, or information leakage of sensitive kernel data.

🟠

Likely Case

System instability, kernel panic, or denial of service during SMB mount operations.

🟢

If Mitigated

Limited impact if KASAN is disabled, though the underlying bug still exists.

🌐 Internet-Facing: MEDIUM - Requires SMB mount capability, which is less common on internet-facing systems.

🏢 Internal Only: HIGH - Internal systems frequently use SMB mounts for file sharing and could be exploited by authenticated users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to trigger SMB mount operations. The vulnerability was discovered through KASAN testing, suggesting it may not be actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in stable kernel trees (commits: 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc, 8de33d4d72e8fae3502ec3850bd7b14e7c7328b6, 9bdb8e98a0073c73ab3e6c631ec78877ceb64565, a0620e1525663edd8c4594f49fb75fe5be4724b0, a542f93a123555d09c3ce8bc947f7b56ad8e6463)

Vendor Advisory: https://git.kernel.org/stable/c/7d34ec36abb84fdfb6632a0f2cbda90379ae21fc

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution's repositories. 2. Reboot the system to load the new kernel. 3. Verify the kernel version after reboot.

🔧 Temporary Workarounds

Disable KASAN

linux

Disabling Kernel Address Sanitizer prevents detection of the out-of-bounds read but doesn't fix the underlying vulnerability.

Rebuild kernel with CONFIG_KASAN=n

Restrict SMB mount operations

linux

Limit which users can perform SMB mount operations to reduce attack surface.

Use filesystem permissions to restrict access to mount utilities
Implement SELinux/AppArmor policies to control mount operations

🧯 If You Can't Patch

Implement network segmentation to isolate systems performing SMB mounts
Monitor for unusual mount activities and kernel panic logs

🔍 How to Verify

Check if Vulnerable:

Check if your kernel version includes the vulnerable code by examining the cifs module version and checking for the specific git commits mentioned in the CVE.

Check Version:

uname -r

Verify Fix Applied:

Verify the kernel version includes one of the patch commits: 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc or related fixes.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages
KASAN error reports mentioning parse_server_interfaces
System logs showing mount failures

Network Indicators:

Unusual SMB mount attempts from unexpected sources

SIEM Query:

source="kernel" AND ("KASAN" OR "slab-out-of-bounds" OR "parse_server_interfaces")

📊 Metadata

CVE ID: CVE-2025-38728

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

EPSS Score: 0.02% exploit probability (2.7th percentile)

Published: September 4, 2025

Last Updated: January 8, 2026

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable KASAN

Restrict SMB mount operations

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities