A groundbreaking vulnerability, CVE-2025-37899, has been uncovered in the Linux kernel’s ksmbd component, marking a milestone in the use of artificial intelligence for cybersecurity.
The flaw, officially confirmed on May 20, 2025, was discovered using OpenAI’s o3 large language model (LLM), demonstrating the model’s advanced ability to reason about complex code and concurrent operations.
ksmbd is the Linux kernel’s in-kernel server that implements the SMB3 protocol, enabling file sharing over networks.
The vulnerability is a classic use-after-free bug in the handler for the SMB ‘logoff’ command.
This type of vulnerability can lead to severe consequences, including memory corruption and the potential for attackers to execute arbitrary code with kernel privileges.
Technical Details: Use-After-Free in SMB Logoff Handler
The root of CVE-2025-37899 lies in the way ksmbd manages session objects during concurrent operations.
When a user logs off, the handler function smb2_session_logoff() frees the sess->user object:
cif (sess->user) {
ksmbd_free_user(sess->user);
sess->user = NULL;
}
However, the SMB3 protocol allows multiple connections to bind to the same session.
If one thread processes a logoff and frees sess->user, another thread, still handling requests for the same session, may attempt to access this now-freed memory.
This unsynchronized access creates a use-after-free scenario, potentially leading to kernel memory corruption or privilege escalation.
The vulnerability is further complicated by the lack of proper reference counting or locking mechanisms around the sess->user pointer.
For example, while smb2_check_user_session() it increments the session’s reference count, it does not protect sess->user from being freed by another thread.
This opens a window where one thread can dereference a freed pointer, as shown in typical code patterns:
cif (user_guest(sess->user)) // Potentially dereferences freed memory
ksmbd_compare_user(sess->user, …)
sess->user->uid
This bug affects multiple Linux kernel versions up to 6.12.27, 6.14.5, and 6.15-rc4, and is being addressed by major Linux distributions, including SUSE, which currently rates the issue as “moderate severity”.
AI’s Role: o3 Model Sets New Standard in Vulnerability Research
OpenAI’s o3 model, released in April 2025, is designed to “think for longer before responding,” enabling it to tackle complex tasks such as code analysis and vulnerability detection.
In this case, the researcher provided O3 with the relevant codebase and instructed it to look for use-after-free vulnerabilities.
The model successfully identified not only known bugs but also this previously undisclosed zero-day.
The process involved feeding o3 the code for all SMB command handlers and related session management routines, amounting to approximately 12,000 lines of code.
o3 was able to reason about the interactions between concurrent threads and detect the subtle race condition at the heart of CVE-2025-378991.
Security experts note that while the Exploit Prediction Scoring System (EPSS) currently estimates a relatively low exploitation probability of 0.02%, the discovery marks a watershed moment for AI-assisted security research.
Rather than replacing human experts, models like o3 are becoming powerful tools that can efficiently analyze large, complex codebases and assist researchers in identifying critical flaws.
As AI continues to evolve, its integration into cybersecurity workflows is expected to accelerate, discovery of CVE-2025-37899 a sign of things to come for both defenders and attackers in the digital landscape.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, officially confirmed on May 20, 2025, was discovered using OpenAI’s o3 large language model (LLM), demonstrating the model’s advanced ability to reason about complex code and concurrent operations.){kind=link}