CVE-2025-2312Exposure of Data Element to Wrong Session in Cifs-utils

CWE-488Exposure of Data Element to Wrong SessionCWE-416Use After Free68 documents8 sources
Severity
5.9MEDIUMNVD
OSV5.5
EPSS
0.0%
top 90.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cifs-utilsSamba Cifs-utilsLinux Kernel
Timeline
PublishedMar 25
Latest updateJul 18

Description

A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 1.4 | Impact: 4.0

Affected Packages3 packages

CVEListV5cifs-utils/cifs-utils< 7.2
Debiansamba/cifs-utils< 2:7.2-1+1
Ubuntulinux/linux_kernel< 6.8.0-62.65+1

🔴Vulnerability Details

32
OSV
linux-intel-iotg-5.15 vulnerabilities2025-07-18
OSV
linux-hwe-6.8 vulnerabilities2025-07-17
OSV
linux-raspi vulnerabilities2025-07-17
OSV
linux-iot vulnerabilities2025-07-16
OSV
linux-raspi, linux-raspi-5.4 vulnerabilities2025-07-16

📋Vendor Advisories

35
Ubuntu
Linux kernel (Intel IoTG) vulnerabilities2025-07-18
Ubuntu
Linux kernel (HWE) vulnerabilities2025-07-17
Ubuntu
Linux kernel (Raspberry Pi) vulnerabilities2025-07-17
Ubuntu
Linux kernel (Raspberry Pi) vulnerabilities2025-07-16
Ubuntu
Linux kernel (IoT) vulnerabilities2025-07-16
CVE-2025-2312 — Cifs-utils vulnerability | cvebase