CVE-2025-38575

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.1.135-1 Linux kernel versions prior to 6.1.137-1~deb11u1 Linux kernel versions prior to 6.6.88 Linux kernel (HWE) (affected versions not specified) Linux kernel (Azure) (affected versions not specified) Linux kernel (Oracle) (affected versions not specified) Linux kernel (OEM) (affected versions not specified) Linux kernel (AWS) (affected versions not specified) Linux kernel (Low Latency) (affected versions not specified)

Description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leaks. A specific issue, identified as CVE-2025-38575, exists within the ksmbd module, related to improper memory management. Specifically, the ksmbd crypt message() function and the aead request free() function were not used correctly, leading to a use-after-free condition. This could allow an attacker to gain access to sensitive cryptographic data. The upstream kernel version 6.6.87 and 6.6.88 include fixes for bugs and vulnerabilities. The kmod-virtualbox and kmod-xtables-addons packages have been updated to work with the new kernel.

Recommendations Upgrade to Linux kernel version 6.1.135-1 or later. Upgrade to Linux kernel version 6.1.137-1~deb11u1 or later for Debian 11 bullseye. Upgrade to Linux kernel version 6.6.88 or later. At the moment, there is no information about a newer version that contains a fix for this vulnerability for Linux kernel (HWE). At the moment, there is no information about a newer version that contains a fix for this vulnerability for Linux kernel (Azure). At the moment, there is no information about a newer version that contains a fix for this vulnerability for Linux kernel (Oracle). At the moment, there is no information about a newer version that contains a fix for this vulnerability for Linux kernel (OEM). At the moment, there is no information about a newer version that contains a fix for this vulnerability for Linux kernel (AWS). At the moment, there is no information about a newer version that contains a fix for this vulnerability for Linux kernel (Low Latency).