A denial-of-service flaw in the Linux kernel’s KSMBD (SMB Direct) subsystem has raised alarms across the open-source community.
Tracked as CVE-2025-38501, the issue allows a remote, unauthenticated adversary to exhaust all available SMB connections by exploiting the kernel’s handling of half-open TCP sessions.
Key Takeaways
1. CVE-2025-38501 lets attackers exhaust KSMBD connections via half-open TCP handshakes.
2. PoC “KSMBDrain” floods servers with SYN packets to trigger the flaw.
3. Patched in Linux 6.1.15+; upgrade or rate-limit port 445.
A public proof-of-concept exploit, dubbed KSMBDrain, demonstrates how attackers can overwhelm a KSMBD server simply by initiating thousands of TCP three-way handshakes and then failing to complete the session, causing the server to hold sockets indefinitely.
KSMBD DoS Attack
The flaw originates from KSMBD’s default behavior of retaining incomplete connections without an upper limit on pending SYN–ACK sockets. When a client sends a SYN, the kernel replies with a SYN–ACK and awaits the final ACK.
If that ACK never arrives, KSMBD will keep the connection slot open. By repeatedly sending SYN packets from a single IP address, an attacker can saturate the server’s max_connections limit configured in /etc/ksmbd/ksmbd.conf, resulting in a complete denial of subsequent legitimate SMB traffic.
Although administrators can set a handshake_timeout as low as one minute, this only slows the attack rather than preventing it, since an attacker can continuously reopen new half-open sessions.
The publicly available PoC, written in Python, leverages raw sockets to mass-spawn handshake attempts. A snippet from poc.py reveals the simplicity of the exploit:
Running this script against a vulnerable server quickly depletes the connection pool, rendering SMB shares inaccessible and effectively halting file transfers and authentication services.
| Risk Factors | Details |
| Affected Products | Linux Kernel KSMBD subsystem (versions 5.3 and later) |
| Impact | Denial of Service |
| Exploit Prerequisites | Network connectivity to target KSMBD server on TCP port 445; No authentication required |
| CVSS 3.1 Score | Not yet assigned |
Mitigations
The vulnerability was introduced in Linux kernel 5.3 when the KSMBD module was merged into the mainline. Upstream maintainers addressed the issue in commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which adds a configurable backlog limit and enforces a shorter tcp_synack_retries threshold for half-open sockets.
Distributions have begun rolling out updated kernel packages; users should apply the fix by upgrading to Linux 6.1.15 or later.
In environments where an immediate kernel upgrade is impractical, network-level rate limiting on TCP port 445 and stricter firewall rules can help mitigate exploitation.
Additionally, security teams are advised to monitor for an abnormal number of SYN packets and to adjust KSMBD’s user-space settings to lower handshake_timeout and limit backlog counts.
As SMB services remain a critical component for file sharing and authentication in enterprise networks, prompt patching is essential.
The KSMBDrain exploit underscores the importance of defending against resource exhaustion attacks that leverage protocol-level quirks rather than code injection or privilege escalation.
Continuous monitoring and maintaining up-to-date kernel versions will mitigate the risk posed by CVE-2025-38501.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
