CVE-2025-21673: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21673 is a double free vulnerability discovered in the Linux kernel's SMB client implementation, specifically affecting the TCP_Server_Info::hostname handling. The vulnerability was disclosed on January 31, 2025, and affects Linux kernel versions from 5.14.19 up to (excluding) 6.12.11 (NVD).

The vulnerability occurs when shutting down the server in cifs_put_tcp_session(). During this process, the cifsd thread might be reconnecting to multiple DFS targets before realizing it should exit the loop, leading to a potential double free of server->hostname. The issue stems from improper memory management where the hostname is freed before the cifsd thread completes its operations. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to system instability and potential denial of service conditions due to memory corruption. When exploited, it can cause the kernel to crash, resulting in system downtime. The vulnerability affects the availability of the system but does not impact confidentiality or integrity (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves ensuring that server->hostname is not freed until the cifsd thread has completed its operations by moving the free operation to clean_demultiplex_info(). System administrators are advised to update to patched kernel versions. Red Hat Enterprise Linux 9 users should apply the available kernel updates, while versions 6, 7, and 8 are not affected (Red Hat).