Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71151

CVE-2025-71151: Linux Kernel Information Leak Vulnerability

CVE-2025-71151 is an information disclosure flaw in Linux Kernel's CIFS implementation that causes memory and information leaks when password reconfiguration fails. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-71151 Overview

CVE-2025-71151 is a memory leak vulnerability [CWE-401] in the Linux kernel's CIFS (Common Internet File System) client. The flaw resides in the smb3_reconfigure() function, where a failure path in smb3_sync_session_ctx_passwords() returns without releasing the newly allocated new_password and new_password2 buffers. This causes both a memory leak and a potential information leak of sensitive authentication material. The issue affects Linux kernel pre-release versions 6.19-rc1 and 6.19-rc2. Exploitation requires local access with low privileges and no user interaction, but cannot be triggered remotely.

Critical Impact

Local low-privileged users can trigger leakage of password buffers in kernel memory during CIFS mount reconfiguration error paths, exposing sensitive credential data.

Affected Products

  • Linux Kernel 6.19-rc1
  • Linux Kernel 6.19-rc2
  • Linux Kernel CIFS client subsystem (fs/smb/client/)

Discovery Timeline

  • 2026-01-23 - CVE-2025-71151 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2025-71151

Vulnerability Analysis

The vulnerability exists in the CIFS client's smb3_reconfigure() function, which handles remount operations for SMB/CIFS shares. During reconfiguration, the function allocates two buffers, new_password and new_password2, to hold updated authentication credentials supplied through mount options.

The function then calls smb3_sync_session_ctx_passwords() to synchronize these passwords with the active session context. If this synchronization call fails, the function returns immediately to the caller. The error path omits the cleanup logic that would normally free and zero the password buffers.

Two consequences result. First, the kernel slab allocator retains the unreferenced buffers, producing a memory leak that grows with each failed reconfigure attempt. Second, the password contents remain in freed or stale memory regions without being scrubbed, creating an information disclosure surface for adversaries who can read residual kernel memory through other primitives.

Root Cause

The root cause is missing cleanup on an error return path. The patched code introduces kfree_sensitive() calls for both new_password and new_password2 before the function returns in the failure case. kfree_sensitive() zeroes the memory before releasing it back to the allocator, preventing both the leak and the credential exposure.

Attack Vector

The attack vector is local. A user with permission to invoke CIFS remount operations, such as one able to call mount(2) with reconfiguration options on a CIFS share, can repeatedly trigger the error path. The vulnerability does not enable privilege escalation or code execution directly. It exposes credential material and consumes kernel memory under attacker-controlled conditions.

No verified public exploit code is available. The vulnerability is described in upstream kernel commits referenced in the security advisory.

Detection Methods for CVE-2025-71151

Indicators of Compromise

  • Repeated CIFS remount failures logged in dmesg or /var/log/kern.log referencing smb3_reconfigure or smb3_sync_session_ctx_passwords
  • Growth in kernel slab usage attributable to CIFS allocations visible in /proc/slabinfo
  • Unusual frequency of mount syscalls with CIFS reconfiguration flags from non-administrative accounts

Detection Strategies

  • Audit mount(2) and fsconfig(2) syscalls targeting CIFS filesystems using Linux Audit (auditd) rules
  • Monitor kernel memory consumption trends for anomalous growth in cifs_request and related slab caches
  • Inspect /proc/fs/cifs/Stats for elevated reconfiguration error counters

Monitoring Recommendations

  • Enable auditd rules to log CIFS mount and remount operations with arguments
  • Alert on repeated failures of the same user invoking CIFS remount within a short time window
  • Track kernel version inventory to identify hosts running affected 6.19-rc1 or 6.19-rc2 builds

How to Mitigate CVE-2025-71151

Immediate Actions Required

  • Identify all systems running Linux kernel 6.19-rc1 or 6.19-rc2 and prioritize them for update
  • Apply the upstream kernel patches referenced in the Kernel Commit cb6d5aa9 series
  • Restrict CIFS mount and remount privileges to trusted administrative accounts only

Patch Information

The fix has been merged upstream across multiple kernel trees. Apply one of the corresponding commits: Kernel Commit 5679cc90, Kernel Commit bb82aaee, Kernel Commit bc390b27, or Kernel Commit cb6d5aa9. The patches add kfree_sensitive() calls to scrub and release the password buffers on the failing error path in smb3_reconfigure().

Workarounds

  • Avoid using pre-release kernels 6.19-rc1 and 6.19-rc2 in production environments
  • Disable or unload the cifs kernel module on hosts that do not require SMB client connectivity using modprobe -r cifs
  • Limit CAP_SYS_ADMIN and mount permissions to reduce the population of users who can invoke CIFS reconfiguration
bash
# Verify kernel version and CIFS module status
uname -r
lsmod | grep cifs

# Blacklist CIFS module if not required
echo "blacklist cifs" | sudo tee /etc/modprobe.d/disable-cifs.conf
sudo modprobe -r cifs

# Audit CIFS mount activity
sudo auditctl -a always,exit -F arch=b64 -S mount -F path=/sbin/mount.cifs -k cifs_mount

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.