Linux Kernel ksmbd Flaw Lets Remote Attackers Execute Arbitrary Code


A critical vulnerability in the Linux Kernel’s ksmbd file sharing component allows remote attackers to execute code with kernel privileges.

Tracked as CVE-2025-38561, this flaw affects Linux distributions that include the ksmbd SMB server implementation.

Authentication is required, but a successful exploit can grant full control of the affected host. Vendors and administrators should apply the patched update immediately to prevent potential compromise.

Technical Overview

The flaw resides in the handling of the Preauth_HashValue field during SMB2 session setup. When processing this field, ksmbd fails to enforce proper locking, leading to a race condition.

Vulnerability CVE-ID CVSS 3.1 Score Affected Vendors
ksmbd smb2_sess_setup Preauth_HashValue Race Condition RCE CVE-2025-38561 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) Linux

An attacker with valid credentials can trigger a situation where two threads access and modify the same memory object concurrently, as reported by ZDI.

This unsynchronized access can corrupt memory and divert program execution flow, ultimately allowing arbitrary code execution in the kernel context.

Although the vulnerability requires authentication, many environments expose SMB servers to wide networks, increasing the risk of credential interception or reuse.

Once exploited, an attacker gains the highest privilege level on the system. The issue was reported privately on July 22, 2025, and publicly disclosed on September 24, 2025, following coordinated vendor advisories.

This vulnerability carries a CVSS 3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

The high score reflects network attack vector, low privileges required, no user interaction, and a scope change leading to full confidentiality, integrity, and availability compromise.

Affected components include:

  • ksmbd SMB2 server module in Linux Kernel
  • Any Linux distribution or custom build incorporating the vulnerable kernel versions

Linux maintainers released a patch to properly synchronize access to the Preauth_HashValue field and eliminate the race condition.

Administrators should update to the latest kernel release or backported security update from their distribution vendors.

Linux maintainers have merged a patch that adds proper locking around the Preauth_HashValue operations. Administrators should:

  1. Identify systems running a vulnerable kernel version.
  2. Apply the latest security update from the official Linux kernel stable branch or distribution vendor.
  3. Reboot affected hosts to load the patched kernel.
  4. Review SMB server exposure and consider network segmentation to limit access to SMB services.

Users relying on backported kernels should watch for distribution advisories. No workaround other than patching is available, and delaying updates may expose critical infrastructure and data to compromise.

Nicholas Zubrisky (@NZubrisky) of Trend Research is credited with discovering and responsibly disclosing the flaw.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.