CVE-2025-37947

ksmbd: prevent out-of-bounds stream writes by validating *pos

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned.

N/A
CVSS
Severity:
EPSS 0.02%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/7f61da79df86fd140c7768e668ad846bfa7ec8e1
https://git.kernel.org/stable/c/04c8a38c60346bb5a7c49b276de7233f703ce9cb
https://git.kernel.org/stable/c/d62ba16563a86aae052f96d270b3b6f78fca154c
https://git.kernel.org/stable/c/e6356499fd216ed6343ae0363f4c9303f02c5034
https://git.kernel.org/stable/c/0ca6df4f40cf4c32487944aaf48319cb6c25accc

Frequently Asked Questions

What is the severity of CVE-2025-37947?
CVE-2025-37947 has not yet been assigned a CVSS score.
How to fix CVE-2025-37947?
To fix CVE-2025-37947, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-37947 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-37947 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-37947?
CVE-2025-37947 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.