Listen to this Post
How the mentioned CVE works:
The vulnerability exists within the SMB Direct (SMBD) client implementation in the Linux kernel’s CIFS filesystem. When receiving data over an RDMA transport, the kernel places packets into slab objects of type ‘smbd_response’. The code uses `copy_to_iter()` to transfer data from a specific field (packet) within these objects to user-space page cache buffers. If the kernel is compiled with `CONFIG_HARDENED_USERCOPY` enabled, a runtime check is triggered. This security feature verifies that memory regions being copied to user space are explicitly marked as safe. Since the `packet` field in the `smbd_response` slab cache was not properly annotated for usercopy, the check fails. This causes the kernel to panic with a “usercopy abort” error, leading to a denial-of-service (kernel oops) when the vulnerable code path is executed during file operations over SMB Direct.
Platform: Linux Kernel
Version: Up to fix
Vulnerability: Usercopy Slab
Severity: Medium
date: 2025-08-16
Prediction: 2025-09-13
What Undercode Say:
`sudo grep -r “smbd_response” /sys/kernel/slab/`
`dmesg | grep “usercopy_abort”`
`cat /proc/slabinfo | grep smbd`
How Exploit:
Mount SMB share.
Trigger file read.
Kernel oops/crash.
Protection from this CVE
Update Linux kernel.
Disable CONFIG_HARDENED_USERCOPY (not recommended).
Avoid using SMB Direct.
Impact:
Kernel panic.
Denial-of-Service.
System crash.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
