{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "8f14a476abba13144df5434871a7225fd29af633"
            },
            {
              "fixed": "5d047b12f86cc3b9fde1171c02d9bccf4dba0632"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "ef51c0d544b1518b35364480317ab6d3468f205d"
            },
            {
              "fixed": "6550b2bef095d0dd2d2c8390d2ea4c3837028833"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "bce966530fd5542bbb422cb45ecb775f7a1a6bc3"
            },
            {
              "fixed": "9a1d3e8d40f151c2d5a5f40c410e6e433f62f438"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0809fb86ad13b29e1d6d491364fc7ea4fb545995"
            },
            {
              "fixed": "15a0a5de49507062bc3be4014a403d8cea5533de"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "b0abcd65ec545701b8793e12bc27dc98042b151a"
            },
            {
              "fixed": "2a76bc2b24ed889a689fb1c9015307bf16aafb5b"
            },
            {
              "fixed": "8ac90f6824fc44d2e55a82503ddfc95defb19ae0"
            },
            {
              "fixed": "b220bed63330c0e1733dc06ea8e75d5b9962b6b6"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "538c26d9bf70c90edc460d18c81008a4e555925a"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38488.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in crypt_message when using async crypto\n\nThe CVE-2024-50047 fix removed asynchronous crypto handling from\ncrypt_message(), assuming all crypto operations are synchronous.\nHowever, when hardware crypto accelerators are used, this can cause\nuse-after-free crashes:\n\n  crypt_message()\n    // Allocate the creq buffer containing the req\n    creq = smb2_get_aead_req(..., \u0026req);\n\n    // Async encryption returns -EINPROGRESS immediately\n    rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);\n\n    // Free creq while async operation is still in progress\n    kvfree_sensitive(creq, ...);\n\nHardware crypto modules often implement async AEAD operations for\nperformance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,\nthe operation completes asynchronously. Without crypto_wait_req(),\nthe function immediately frees the request buffer, leading to crashes\nwhen the driver later accesses the freed memory.\n\nThis results in a use-after-free condition when the hardware crypto\ndriver later accesses the freed request structure, leading to kernel\ncrashes with NULL pointer dereferences.\n\nThe issue occurs because crypto_alloc_aead() with mask=0 doesn't\nguarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in\nthe mask, async implementations can be selected.\n\nFix by restoring the async crypto handling:\n- DECLARE_CRYPTO_WAIT(wait) for completion tracking\n- aead_request_set_callback() for async completion notification\n- crypto_wait_req() to wait for operation completion\n\nThis ensures the request buffer isn't freed until the crypto operation\ncompletes, whether synchronous or asynchronous, while preserving the\nCVE-2024-50047 fix.",
  "id": "CVE-2025-38488",
  "modified": "2026-04-01T23:08:14.299665123Z",
  "published": "2025-07-28T11:21:52.085Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/15a0a5de49507062bc3be4014a403d8cea5533de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a76bc2b24ed889a689fb1c9015307bf16aafb5b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d047b12f86cc3b9fde1171c02d9bccf4dba0632"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6550b2bef095d0dd2d2c8390d2ea4c3837028833"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ac90f6824fc44d2e55a82503ddfc95defb19ae0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a1d3e8d40f151c2d5a5f40c410e6e433f62f438"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b220bed63330c0e1733dc06ea8e75d5b9962b6b6"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38488.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38488"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.3",
  "summary": "smb: client: fix use-after-free in crypt_message when using async crypto"
}