CVE-2025-37778: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37778 is a vulnerability discovered in the Linux kernel affecting the ksmbd component. The vulnerability was disclosed on May 1, 2025, and involves a dangling pointer issue in the krb_authenticate function (NVD, Wiz).

The vulnerability occurs when krbauthenticate frees sess->user without setting the pointer to NULL. The function then calls ksmbdkrb5authenticate to reinitialize sess->user, but if that function returns without reinitializing, smb2sesssetup (which calls krbauthenticate) will access freed memory when it later uses sess->user. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

This vulnerability could potentially lead to memory corruption issues when using the ksmbd component in the Linux kernel, which might result in system instability or potential security implications when accessing freed memory (Wiz).

Fixed versions have been released for various distributions. Debian has patched version 6.1.135-1 for bookworm and 6.12.25-1 for sid to address this vulnerability. Red Hat Enterprise Linux versions 6, 7, 8, and 9 are not affected by this vulnerability (Debian Tracker, Red Hat).