Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2025-39932— smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)

AI Predicted 6.5 Difficulty: Moderate EPSS 0.01% · P2

Affected Version Matrix 8

VendorProductVersion RangeStatus
LinuxLinuxf198186aa9bbd60fae7a2061f4feec614d880299< 6ae90a2baf923e85eb037b636aa641250bf4220faffected
f198186aa9bbd60fae7a2061f4feec614d880299< 3fabb1236f2e3ad78d531be0a4ad9f4a4ccdda87affected
f198186aa9bbd60fae7a2061f4feec614d880299< d9dcbbcf9145b68aa85c40947311a6907277e097affected
4.16affected
< 4.16unaffected
6.12.49≤ 6.12.*unaffected
6.16.9≤ 6.16.*unaffected
6.17≤ *unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-39932

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) In smbd_destroy() we may destroy the memory so we better wait until post_send_credits_work is no longer pending and will never be started again. I actually just hit the case using rxe: WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe] ... [ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs] [ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30 [ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs] [ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60 [ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs] [ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs] [ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs] [ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10 [ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0 [ 5305.687889] [ T138] process_one_work+0x629/0xf80 [ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30 [ 5305.687933] [ T138] worker_thread+0x87f/0x1570 ... It means rxe_post_recv was called after rdma_destroy_qp(). This happened because put_receive_buffer() was triggered by ib_drain_qp() and called: queue_work(info->workqueue, &info->post_send_credits_work);
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于未正确等待post_send_credits_work完成,可能导致内存损坏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux f198186aa9bbd60fae7a2061f4feec614d880299 ~ 6ae90a2baf923e85eb037b636aa641250bf4220f -
LinuxLinux 4.16 -

II. Public POCs for CVE-2025-39932

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-39932

登录查看更多情报信息。

Patches & Fixes for CVE-2025-39932 (3)

Same Patch Batch · Linux · 2025-10-04 · 144 CVEs total

CVE-2025-399469.8 CRITICALtls: make sure to abort the stream if headers are bogus
CVE-2022-50491coresight: cti: Fix hang in cti_disable_hw()
CVE-2023-53581net/mlx5e: Check for NOT_READY flag state after locking
CVE-2023-53580USB: Gadget: core: Help prevent panic during UVC unconfigure
CVE-2022-50507fs/ntfs3: Validate data run offset
CVE-2022-50508wifi: mt76: mt76x0: fix oob access in mt76x0_phy_get_target_power
CVE-2022-50506drbd: only clone bio if we have a backing device
CVE-2022-50504powerpc/rtas: avoid scheduling in rtas_os_term()
CVE-2022-50505iommu/amd: Fix pci device refcount leak in ppr_notifier()
CVE-2022-50503mtd: lpddr2_nvm: Fix possible null-ptr-deref
CVE-2022-50501media: coda: Add check for dcoda_iram_alloc
CVE-2022-50500netdevsim: fix memory leak in nsim_drv_probe() when nsim_dev_resources_register() failed
CVE-2022-50499media: dvb-core: Fix double free in dvb_register_device()
CVE-2022-50497binfmt_misc: fix shift-out-of-bounds in check_special_flags
CVE-2022-50498eth: alx: take rtnl_lock on resume
CVE-2022-50496dm cache: Fix UAF in destroy()
CVE-2022-50494thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
CVE-2022-50493scsi: qla2xxx: Fix crash when I/O abort times out
CVE-2022-50492drm/msm: fix use-after-free on probe deferral
CVE-2023-53572clk: imx: scu: use _safe list iterator to avoid a use after free

Showing top 20 of 144 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-39932

No comments yet

Leave a comment