CVE-2025-71151 — Missing Release of Memory after Effective Lifetime in Linux
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 95.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 23
Latest updateApr 17
Description
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix memory and information leak in smb3_reconfigure()
In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
function returns immediately without freeing and erasing the newly
allocated new_password and new_password2. This causes both a memory leak
and a potential information leak.
Fix this by calling kfree_sensitive() on both password buffers before
returning in this error case.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6
Affected Packages14 packages
▶CVEListV5linux/linux880a661e67648a3ffe85405e8de5f50650a3c0b2 — bc390b2737205163e48cc1655f6a0c8cd55b02fc+5
Patches
🔴Vulnerability Details
2GHSA▶
GHSA-mp8m-m46q-cqx4: In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix memory and information leak in smb3_reconfigure()
In smb3_reconfigure(↗2026-01-23
OSV▶
CVE-2025-71151: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and information leak in smb3_reconfigure() In smb3_reconfigure(),↗2026-01-23