CVE-2025-38191

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38191
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38191.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38191
Downstream
Related
Published
2025-07-04T14:15:26Z
Modified
2025-08-12T21:01:18Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix null pointer dereference in destroyprevioussession

If client set ->PreviousSessionId on kerberos session setup stage, NULL pointer dereference error will happen. Since sess->user is not set yet, It can pass the user argument as NULL to destroyprevioussession. sess->user will be set in ksmbdkrb5authenticate(). So this patch move calling destroyprevioussession() after ksmbdkrb5authenticate().

References

Affected packages