NULL Pointer Dereference in Linux Kernel CIFS Component
CVE-2025-39838

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 19 September 2025

What is CVE-2025-39838?

In the Linux kernel, a vulnerability exists in the CIFS (Common Internet File System) component, where a NULL pointer can be dereferenced due to improper checks during UTF16 conversion. The flaw occurs when NULL is passed to the function __cifs_sfu_make_node without appropriate validation. This oversight allows for potential crashes when it reaches the cifs_strndup_to_utf16 function. To resolve this issue, a patch has been implemented that introduces a check for a NULL 'src' parameter, returning early to prevent null pointer dereference and ensuring system stability.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 65b98a7e65e7a8f3894d8760cd194eaf20504c99

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1cfa5dd05847137f0fb3ce74ced80c0b4858d716

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1f797f062b5cf13a1c2bcc23285361baaa7c9260

References

https://git.kernel.org/stable/c/65b98a7e65e7a8f3894d8760c...

https://git.kernel.org/stable/c/1cfa5dd05847137f0fb3ce74c...

https://git.kernel.org/stable/c/1f797f062b5cf13a1c2bcc232...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2025
Vulnerability Reserved
Apr 16, 2025