CVE-2025-40090
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-40090
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40090.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-40090
- Downstream
- Published
- 2025-10-30T09:47:58Z
- Modified
- 2025-10-30T20:17:52.138238Z
- Summary
- ksmbd: fix recursive locking in RPC handle list access
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix recursive locking in RPC handle list access
Since commit 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access"), ksmbdsessionrpcmethod() attempts to lock sess->rpclock.
This causes hung connections / tasks when a client attempts to open a named pipe. Using Samba's rpcclient tool:
$ rpcclient //192.168.1.254 -U user%password $ rpcclient $> srvinfo <connection hung here>
Kernel side: "echo 0 > /proc/sys/kernel/hungtasktimeoutsecs" disables this message. task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000 Workqueue: ksmbd-io handleksmbdwork Call trace: _schedule from schedule+0x3c/0x58 schedule from schedulepreemptdisabled+0xc/0x10 schedulepreemptdisabled from rwsemdownreadslowpath+0x1b0/0x1d8 rwsemdownreadslowpath from downread+0x28/0x30 downread from ksmbdsessionrpcmethod+0x18/0x3c ksmbdsessionrpcmethod from ksmbdrpcopen+0x34/0x68 ksmbdrpcopen from ksmbdsessionrpcopen+0x194/0x228 ksmbdsessionrpcopen from createsmb2pipe+0x8c/0x2c8 createsmb2pipe from smb2open+0x10c/0x27ac smb2open from handleksmbdwork+0x238/0x3dc handleksmbdwork from processscheduledworks+0x160/0x25c processscheduledworks from workerthread+0x16c/0x1e8 workerthread from kthread+0xa8/0xb8 kthread from retfromfork+0x14/0x38 Exception stack(0x8529ffb0 to 0x8529fff8)
The task deadlocks because the lock is already held: ksmbdsessionrpcopen downwrite(&sess->rpclock) ksmbdrpcopen ksmbdsessionrpcmethod downread(&sess->rpclock) <-- deadlock
Adjust ksmbdsessionrpc_method() callers to take the lock when necessary.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced5cc679ba0f4505936124cd4179ba66bb0a4bd9f3Fixed4602b8cee1481dbb896182e5cb1e8cf12910e9e7
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6bd7e0e55dcea2cf0d391bbc21c2eb069b4be3e1Fixed3412fbd81b46b9cfae013817b61d4bbd27e09e36
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced305853cce379407090a73b38c5de5ba748893aeeFixed88f170814fea74911ceab798a43cbd7c5599bed4
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"96021204749364966584542177711573619913",
"214515663918310155488505017428172988328",
"238863140878012551041849444175745967664",
"300464257564967120588120411108046183701",
"73302661699156862296734415072333059478"
]
},
"target": {
"file": "fs/smb/server/smb2pdu.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88f170814fea74911ceab798a43cbd7c5599bed4",
"id": "CVE-2025-40090-07659789",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"249864143697886883059662324261924590756",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"315992939825814015884110781634547772140",
"91921240998103474206196157879174927922",
"319006007827765437032251902667668894533",
"3486962579741110565173303880640451670",
"333309062506864117423429858801852942118",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"210665332225795822823594698946552593079",
"198405648008637553909338336481088519126",
"156631734870233351414408501094687232047",
"208411733612884073872835761812172120286",
"249864143697886883059662324261924590756",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"212133270511675159597655365613553801967",
"27872096558123629791468150831861479887",
"319006007827765437032251902667668894533",
"3486962579741110565173303880640451670"
]
},
"target": {
"file": "fs/smb/server/transport_ipc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88f170814fea74911ceab798a43cbd7c5599bed4",
"id": "CVE-2025-40090-09509ef5",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"88219017169389381119464766461819832481",
"180013795881411335744720297564804949997",
"281794304238132113756763424955227804949",
"250867690380900348623248297079762812086",
"157437960169374157717139780517252441604",
"199593921785895733941408572893654913347",
"328042009594636002325069335830070628747",
"195344169332162232493456467590075959051",
"334737573956258792779441963265899267981"
]
},
"target": {
"file": "fs/smb/server/mgmt/user_session.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88f170814fea74911ceab798a43cbd7c5599bed4",
"id": "CVE-2025-40090-1af2af8e",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "300853847184096038545159488445490000329",
"length": 609.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_ioctl"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3412fbd81b46b9cfae013817b61d4bbd27e09e36",
"id": "CVE-2025-40090-3132388c",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"249864143697886883059662324261924590756",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"315992939825814015884110781634547772140",
"91921240998103474206196157879174927922",
"319006007827765437032251902667668894533",
"3486962579741110565173303880640451670",
"333309062506864117423429858801852942118",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"210665332225795822823594698946552593079",
"198405648008637553909338336481088519126",
"156631734870233351414408501094687232047",
"208411733612884073872835761812172120286",
"249864143697886883059662324261924590756",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"212133270511675159597655365613553801967",
"27872096558123629791468150831861479887",
"319006007827765437032251902667668894533",
"3486962579741110565173303880640451670"
]
},
"target": {
"file": "fs/smb/server/transport_ipc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4602b8cee1481dbb896182e5cb1e8cf12910e9e7",
"id": "CVE-2025-40090-39397c9f",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"88219017169389381119464766461819832481",
"180013795881411335744720297564804949997",
"281794304238132113756763424955227804949",
"250867690380900348623248297079762812086",
"157437960169374157717139780517252441604",
"199593921785895733941408572893654913347",
"328042009594636002325069335830070628747",
"195344169332162232493456467590075959051",
"334737573956258792779441963265899267981"
]
},
"target": {
"file": "fs/smb/server/mgmt/user_session.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3412fbd81b46b9cfae013817b61d4bbd27e09e36",
"id": "CVE-2025-40090-3cd8b90f",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"249864143697886883059662324261924590756",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"315992939825814015884110781634547772140",
"91921240998103474206196157879174927922",
"319006007827765437032251902667668894533",
"3486962579741110565173303880640451670",
"333309062506864117423429858801852942118",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"210665332225795822823594698946552593079",
"198405648008637553909338336481088519126",
"156631734870233351414408501094687232047",
"208411733612884073872835761812172120286",
"249864143697886883059662324261924590756",
"278733888366010807662026664925464364486",
"119955747174153298479738332272106949220",
"212133270511675159597655365613553801967",
"27872096558123629791468150831861479887",
"319006007827765437032251902667668894533",
"3486962579741110565173303880640451670"
]
},
"target": {
"file": "fs/smb/server/transport_ipc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3412fbd81b46b9cfae013817b61d4bbd27e09e36",
"id": "CVE-2025-40090-40f1116b",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "7170116706448462544796245870908358522",
"length": 782.0
},
"target": {
"file": "fs/smb/server/smb2pdu.c",
"function": "smb2_get_info_file_pipe"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88f170814fea74911ceab798a43cbd7c5599bed4",
"id": "CVE-2025-40090-50d59526",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "89059742343441579241120954380530398049",
"length": 244.0
},
"target": {
"file": "fs/smb/server/mgmt/user_session.c",
"function": "ksmbd_session_rpc_method"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4602b8cee1481dbb896182e5cb1e8cf12910e9e7",
"id": "CVE-2025-40090-543ddf60",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "89059742343441579241120954380530398049",
"length": 244.0
},
"target": {
"file": "fs/smb/server/mgmt/user_session.c",
"function": "ksmbd_session_rpc_method"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3412fbd81b46b9cfae013817b61d4bbd27e09e36",
"id": "CVE-2025-40090-5444fa3d",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"96021204749364966584542177711573619913",
"214515663918310155488505017428172988328",
"238863140878012551041849444175745967664",
"300464257564967120588120411108046183701",
"73302661699156862296734415072333059478"
]
},
"target": {
"file": "fs/smb/server/smb2pdu.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4602b8cee1481dbb896182e5cb1e8cf12910e9e7",
"id": "CVE-2025-40090-5527cbb7",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "227922690281999263416538665168431273370",
"length": 609.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_write"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4602b8cee1481dbb896182e5cb1e8cf12910e9e7",
"id": "CVE-2025-40090-5943061a",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "227922690281999263416538665168431273370",
"length": 609.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_write"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3412fbd81b46b9cfae013817b61d4bbd27e09e36",
"id": "CVE-2025-40090-7248b500",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "300853847184096038545159488445490000329",
"length": 609.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_ioctl"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88f170814fea74911ceab798a43cbd7c5599bed4",
"id": "CVE-2025-40090-7b8d21d0",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "89059742343441579241120954380530398049",
"length": 244.0
},
"target": {
"file": "fs/smb/server/mgmt/user_session.c",
"function": "ksmbd_session_rpc_method"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88f170814fea74911ceab798a43cbd7c5599bed4",
"id": "CVE-2025-40090-8883cb6f",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "7170116706448462544796245870908358522",
"length": 782.0
},
"target": {
"file": "fs/smb/server/smb2pdu.c",
"function": "smb2_get_info_file_pipe"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3412fbd81b46b9cfae013817b61d4bbd27e09e36",
"id": "CVE-2025-40090-95d32e4b",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"88219017169389381119464766461819832481",
"180013795881411335744720297564804949997",
"281794304238132113756763424955227804949",
"250867690380900348623248297079762812086",
"157437960169374157717139780517252441604",
"199593921785895733941408572893654913347",
"328042009594636002325069335830070628747",
"195344169332162232493456467590075959051",
"334737573956258792779441963265899267981"
]
},
"target": {
"file": "fs/smb/server/mgmt/user_session.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4602b8cee1481dbb896182e5cb1e8cf12910e9e7",
"id": "CVE-2025-40090-a3c1305e",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "7170116706448462544796245870908358522",
"length": 782.0
},
"target": {
"file": "fs/smb/server/smb2pdu.c",
"function": "smb2_get_info_file_pipe"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4602b8cee1481dbb896182e5cb1e8cf12910e9e7",
"id": "CVE-2025-40090-b2b25a77",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "336908577648504256989312537936101666026",
"length": 474.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_read"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3412fbd81b46b9cfae013817b61d4bbd27e09e36",
"id": "CVE-2025-40090-bd3cd0bb",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "336908577648504256989312537936101666026",
"length": 474.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_read"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4602b8cee1481dbb896182e5cb1e8cf12910e9e7",
"id": "CVE-2025-40090-dc795ec5",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "227922690281999263416538665168431273370",
"length": 609.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_write"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88f170814fea74911ceab798a43cbd7c5599bed4",
"id": "CVE-2025-40090-ddd1393d",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"96021204749364966584542177711573619913",
"214515663918310155488505017428172988328",
"238863140878012551041849444175745967664",
"300464257564967120588120411108046183701",
"73302661699156862296734415072333059478"
]
},
"target": {
"file": "fs/smb/server/smb2pdu.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3412fbd81b46b9cfae013817b61d4bbd27e09e36",
"id": "CVE-2025-40090-e5d1b864",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "300853847184096038545159488445490000329",
"length": 609.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_ioctl"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4602b8cee1481dbb896182e5cb1e8cf12910e9e7",
"id": "CVE-2025-40090-e7d0b9e5",
"deprecated": false,
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "336908577648504256989312537936101666026",
"length": 474.0
},
"target": {
"file": "fs/smb/server/transport_ipc.c",
"function": "ksmbd_rpc_read"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@88f170814fea74911ceab798a43cbd7c5599bed4",
"id": "CVE-2025-40090-e933af68",
"deprecated": false,
"signature_version": "v1"
}
]