In the Linux kernel, the following vulnerability has been resolved:
ksmbd: prevent out-of-bounds stream writes by validating *pos
ksmbdvfsstreamwrite() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (vlen). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write.
This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@04c8a38c60346bb5a7c49b276de7233f703ce9cb", "target": { "function": "ksmbd_vfs_stream_write", "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-06e3665d", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "4414967034085953649716315198658764179", "length": 1080.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d62ba16563a86aae052f96d270b3b6f78fca154c", "target": { "function": "ksmbd_vfs_stream_write", "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-0c35e6d9", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "333727666911083657640986741974909119592", "length": 1087.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ca6df4f40cf4c32487944aaf48319cb6c25accc", "target": { "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-2c0f827b", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "109401113662066539742496945239834615858", "325721914804935686583886970965963329844", "295506648716598103693107985729893290039" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ca6df4f40cf4c32487944aaf48319cb6c25accc", "target": { "function": "ksmbd_vfs_stream_write", "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-3729e742", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "333727666911083657640986741974909119592", "length": 1087.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d62ba16563a86aae052f96d270b3b6f78fca154c", "target": { "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-788f3c62", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "109401113662066539742496945239834615858", "325721914804935686583886970965963329844", "295506648716598103693107985729893290039" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e6356499fd216ed6343ae0363f4c9303f02c5034", "target": { "function": "ksmbd_vfs_stream_write", "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-7d1b21ba", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "333727666911083657640986741974909119592", "length": 1087.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@04c8a38c60346bb5a7c49b276de7233f703ce9cb", "target": { "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-7fe2afa3", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "109401113662066539742496945239834615858", "145558672019358143397609204463115576182", "154838884528580057766321015558248699172" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e6356499fd216ed6343ae0363f4c9303f02c5034", "target": { "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-8560f5fd", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "109401113662066539742496945239834615858", "325721914804935686583886970965963329844", "295506648716598103693107985729893290039" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f61da79df86fd140c7768e668ad846bfa7ec8e1", "target": { "function": "ksmbd_vfs_stream_write", "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-87bb205f", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "4414967034085953649716315198658764179", "length": 1080.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f61da79df86fd140c7768e668ad846bfa7ec8e1", "target": { "file": "fs/smb/server/vfs.c" }, "id": "CVE-2025-37947-8b5a9eca", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "109401113662066539742496945239834615858", "145558672019358143397609204463115576182", "154838884528580057766321015558248699172" ], "threshold": 0.9 } } ]