CVE-2025-40039

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in the handling of RPC handles within a ksmbd session due to flawed locking implementation. Specifically, the sess->rpc handle list XArray, which manages these handles, was not consistently protected by the intended sess->rpc lock (an rw semaphore). The ksmbd session rpc open() function incorrectly acquired only a read lock before performing modifications to the XArray using xa store() and xa erase(), requiring a write lock for exclusive access. Additionally, ksmbd session rpc method() accessed the list using xa load() without holding any lock, potentially leading to inconsistent data reads or a use-after-free condition. The issue is addressed by ensuring correct write lock acquisition in ksmbd session rpc open() using down write() and up write(), and by adding read lock protection in ksmbd session rpc method() using down read() and up read().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.