Security researcher Norbert Szetei published the final installment of his deep-dive into the ksmbd filesystem module, culminating in a working proof-of-concept exploit targeting CVE-2025-37947.
Unlike earlier use-after-free candidates that required complex race conditions or depended on external factors, this vulnerability offers a deterministic out-of-bounds (OOB) write primitive.
Szetei’s PoC was tested on Ubuntu 22.04.5 LTS running kernel 5.15.0-153-generic, demonstrating a reliable path to local root by carefully overflowing a zero-initialized buffer allocated via kvmalloc().
Root Cause and Exploitation
The flaw resides in the ksmbd_vfs_stream_write() function in fs/ksmbd/vfs.c.
When a writable share is configured with vfs objects = streams_xattr, the code caps the total size at XATTR_SIZE_MAX (0x10000) but still allows a write beyond that limit by setting *pos to 0x10000 and count to 8.
The subsequent memcpy(&stream_buf[*pos], buf, count) writes eight bytes past the buffer boundary, granting an attacker controlled memory corruption.
Heap shaping through SLUB allocator manipulation ensures that the overflow lands adjacent to a target order-4 slab object in Szetei’s case, primary msg_msg kernel messages enabling pointer corruption.
The exploit spray, free, and reclaim steps lead to a use-after-free chain, followed by kernel memory leaks for SMAP, SMEP, and KASLR bypasses, culminating in a stack pivot and ROP chain execution.
The complete exploit flow and source code are available on GitHub.
| CVE | Description | Affected Kernel Versions | CVSS 3.1 Score | Exploit Prerequisites |
| CVE-2025-37947 | OOB write in ksmbd_vfs_stream_write() when streams_xattr is enabled, leading to local privilege escalation | Linux 5.15.0 through 6.x (pre-patch) | 7.8 | Authenticated SMB user; writable share with streams_xattr enabled |
CVE-2025-37947 poses a significant threat in environments where SMB file shares rely on ksmbd with extended attribute streams enabled.
Because it requires only valid credentials and minimal share configuration, attackers with standard user accounts can achieve root privileges, undermining host integrity.
Organizations running affected kernels should immediately apply upstream patches or distribution updates.
As a temporary mitigation, disabling the stream_xattr module or removing write permissions from SMB shares prevents trigger conditions.
Monitoring for unusual SMB activity and inspecting /var/log/kern.log for OOB write traces can help detect attempted exploitation.
Finally, enforcing least-privilege SMB account policies and isolating critical systems from untrusted networks further reduces risk until full remediation is confirmed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
