{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3olinuxlinux_kernel6.15rc1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-37750"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","smb","use-after-free","rce"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2025-37750 is a use-after-free vulnerability affecting the SMB client, specifically during decryption with multichannel. While specific details are scarce, the nature of a use-after-free vulnerability in a network protocol client suggests a potential for remote code execution if an attacker can control the SMB server response. Microsoft has released a security update to address this vulnerability. This vulnerability poses a significant risk to systems acting as SMB clients, as a compromised SMB server or a man-in-the-middle attacker could potentially exploit this flaw.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, the following attack chain is inferred based on the nature of the vulnerability and typical SMB client interactions:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or controls an SMB server.\u003c/li\u003e\n\u003cli\u003eA client initiates an SMB connection to the malicious server.\u003c/li\u003e\n\u003cli\u003eThe server sends a response requiring multichannel negotiation.\u003c/li\u003e\n\u003cli\u003eThe client attempts to negotiate multichannel and starts decryption.\u003c/li\u003e\n\u003cli\u003eThe server sends a specially crafted response during decryption, triggering the use-after-free condition within the SMB client.\u003c/li\u003e\n\u003cli\u003eThe vulnerability is triggered and allows the attacker to corrupt memory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to achieve code execution on the client machine.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the client system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-37750 allows a malicious SMB server or man-in-the-middle attacker to execute arbitrary code on the client machine. This could lead to complete system compromise, including data theft, malware installation, and lateral movement within the network. The lack of specific details makes quantifying the exact impact difficult, but the potential for remote code execution warrants immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2025-37750.\u003c/li\u003e\n\u003cli\u003eMonitor SMB client connections for unusual patterns or connections to untrusted servers using network connection logs (product: windows, category: network_connection).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious processes spawned after SMB client activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T07:50:49Z","date_published":"2026-05-11T07:50:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-smb-uaf/","summary":"CVE-2025-37750 is a use-after-free vulnerability in the SMB client related to decryption with multichannel that could lead to code execution.","title":"CVE-2025-37750 SMB Client Use-After-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-smb-uaf/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.5,"id":"CVE-2025-37877"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vulnerability","iommu","cleanup"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2025-37877 is a vulnerability related to the Input/Output Memory Management Unit (IOMMU) within Microsoft products. The vulnerability stems from a failure to properly clear iommu-dma operations during cleanup, potentially leading to resource management issues or unexpected behavior. This could be exploited to cause a denial-of-service or potentially gain unauthorized access, depending on the specific implementation and affected components. The vulnerability requires a specifically crafted input or condition to trigger the improper cleanup sequence. Successful exploitation could destabilize the system or expose sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (details unspecified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a specific operation that utilizes the IOMMU.\u003c/li\u003e\n\u003cli\u003eThe IOMMU processes the request, allocating resources for DMA operations.\u003c/li\u003e\n\u003cli\u003eThe initial operation completes or is terminated abnormally.\u003c/li\u003e\n\u003cli\u003eThe cleanup routine for the IOMMU fails to properly clear the iommu-dma operations.\u003c/li\u003e\n\u003cli\u003eSubsequent IOMMU operations may be affected by the uncleared state.\u003c/li\u003e\n\u003cli\u003eAn attacker exploits the lingering state to cause a denial-of-service by exhausting resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-37877 can lead to denial-of-service conditions due to resource exhaustion or system instability. The number of potential victims is broad, affecting systems that utilize the vulnerable IOMMU implementation. The primary impact involves the interruption of services and potential data loss or corruption, depending on the specific context of the exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2025-37877 as soon as possible, as referenced in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected IOMMU-related errors or resource exhaustion, which could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T07:50:31Z","date_published":"2026-05-11T07:50:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-37877-iommu/","summary":"CVE-2025-37877 is a vulnerability in the iommu component requiring proper cleanup, affecting Microsoft products.","title":"CVE-2025-37877 iommu: Clear iommu-dma ops on cleanup","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-37877-iommu/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}