CVE-2025-68219 (GCVE-0-2025-68219)
Vulnerability from cvelistv5
Published
2025-12-16 13:57
Modified
2025-12-16 13:57
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: cifs: fix memory leak in smb3_fs_context_parse_param error path Add proper cleanup of ctx->source and fc->source to the cifs_parse_mount_err error handler. This ensures that memory allocated for the source strings is correctly freed on all error paths, matching the cleanup already performed in the success path by smb3_cleanup_fs_context_contents(). Pointers are also set to NULL after freeing to prevent potential double-free issues. This change fixes a memory leak originally detected by syzbot. The leak occurred when processing Opt_source mount options if an error happened after ctx->source and fc->source were successfully allocated but before the function completed. The specific leak sequence was: 1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory 2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory 3. A subsequent error jumps to cifs_parse_mount_err 4. The old error handler freed passwords but not the source strings, causing the memory to leak. This issue was not addressed by commit e8c73eb7db0a ("cifs: client: fix memory leak in smb3_fs_context_parse_param"), which only fixed leaks from repeated fsconfig() calls but not this error path. Patch updated with minor change suggested by kernel test robot
References
Impacted products
Vendor Product Version
Linux Linux Version: 24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f
Version: 24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f
Version: 24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f
Version: 24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7627864dc3121f39e220f5253a227edf472de59e",
              "status": "affected",
              "version": "24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f",
              "versionType": "git"
            },
            {
              "lessThan": "48d69290270891f988e72edddd9688c20515421d",
              "status": "affected",
              "version": "24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f",
              "versionType": "git"
            },
            {
              "lessThan": "37010021d7e0341bb241ca00bcbae31f2c50b23f",
              "status": "affected",
              "version": "24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f",
              "versionType": "git"
            },
            {
              "lessThan": "7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5",
              "status": "affected",
              "version": "24e0a1eff9e2b9835a6e7c17039dfb6ecfd81f1f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix memory leak in smb3_fs_context_parse_param error path\n\nAdd proper cleanup of ctx-\u003esource and fc-\u003esource to the\ncifs_parse_mount_err error handler. This ensures that memory allocated\nfor the source strings is correctly freed on all error paths, matching\nthe cleanup already performed in the success path by\nsmb3_cleanup_fs_context_contents().\nPointers are also set to NULL after freeing to prevent potential\ndouble-free issues.\n\nThis change fixes a memory leak originally detected by syzbot. The\nleak occurred when processing Opt_source mount options if an error\nhappened after ctx-\u003esource and fc-\u003esource were successfully\nallocated but before the function completed.\n\nThe specific leak sequence was:\n1. ctx-\u003esource = smb3_fs_context_fullpath(ctx, \u0027/\u0027) allocates memory\n2. fc-\u003esource = kstrdup(ctx-\u003esource, GFP_KERNEL) allocates more memory\n3. A subsequent error jumps to cifs_parse_mount_err\n4. The old error handler freed passwords but not the source strings,\ncausing the memory to leak.\n\nThis issue was not addressed by commit e8c73eb7db0a (\"cifs: client:\nfix memory leak in smb3_fs_context_parse_param\"), which only fixed\nleaks from repeated fsconfig() calls but not this error path.\n\nPatch updated with minor change suggested by kernel test robot"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:57:13.461Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7627864dc3121f39e220f5253a227edf472de59e"
        },
        {
          "url": "https://git.kernel.org/stable/c/48d69290270891f988e72edddd9688c20515421d"
        },
        {
          "url": "https://git.kernel.org/stable/c/37010021d7e0341bb241ca00bcbae31f2c50b23f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5"
        }
      ],
      "title": "cifs: fix memory leak in smb3_fs_context_parse_param error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68219",
    "datePublished": "2025-12-16T13:57:13.461Z",
    "dateReserved": "2025-12-16T13:41:40.256Z",
    "dateUpdated": "2025-12-16T13:57:13.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68219\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-16T14:15:55.013\",\"lastModified\":\"2025-12-18T15:08:06.237\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncifs: fix memory leak in smb3_fs_context_parse_param error path\\n\\nAdd proper cleanup of ctx-\u003esource and fc-\u003esource to the\\ncifs_parse_mount_err error handler. This ensures that memory allocated\\nfor the source strings is correctly freed on all error paths, matching\\nthe cleanup already performed in the success path by\\nsmb3_cleanup_fs_context_contents().\\nPointers are also set to NULL after freeing to prevent potential\\ndouble-free issues.\\n\\nThis change fixes a memory leak originally detected by syzbot. The\\nleak occurred when processing Opt_source mount options if an error\\nhappened after ctx-\u003esource and fc-\u003esource were successfully\\nallocated but before the function completed.\\n\\nThe specific leak sequence was:\\n1. ctx-\u003esource = smb3_fs_context_fullpath(ctx, \u0027/\u0027) allocates memory\\n2. fc-\u003esource = kstrdup(ctx-\u003esource, GFP_KERNEL) allocates more memory\\n3. A subsequent error jumps to cifs_parse_mount_err\\n4. The old error handler freed passwords but not the source strings,\\ncausing the memory to leak.\\n\\nThis issue was not addressed by commit e8c73eb7db0a (\\\"cifs: client:\\nfix memory leak in smb3_fs_context_parse_param\\\"), which only fixed\\nleaks from repeated fsconfig() calls but not this error path.\\n\\nPatch updated with minor change suggested by kernel test robot\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/37010021d7e0341bb241ca00bcbae31f2c50b23f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/48d69290270891f988e72edddd9688c20515421d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7627864dc3121f39e220f5253a227edf472de59e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.