A critical security flaw in the Linux Kernel’s ksmbd file‐sharing component permits remote attackers to execute arbitrary code with full kernel privileges.
Tracked as CVE-2025-38561, the vulnerability impacts Linux distributions incorporating the ksmbd SMB server implementation.
Although valid authentication is required, successful exploitation leads to complete system compromise, making immediate patching essential for administrators and vendors.
Technical Overview
The vulnerability resides in the ksmbd module’s handling of the Preauth_HashValue field during SMB2 session setup.
When a client initiates a session, ksmbd computes a hash value for pre-authentication.
Due to a missing synchronization mechanism, two concurrent threads can process and modify the same memory object without proper locking.
This race condition results in memory corruption and diversion of the program’s execution flow into attacker-controlled instructions, effectively granting execution of arbitrary code in kernel context.
The flaw was privately reported on July 22, 2025, and publicly disclosed on September 24, 2025, after coordinated vendor advisories.
A proof-of-concept exploit demonstrates how an authenticated attacker can trigger the race by rapidly invoking session requests, forcing ksmbd threads into the unsynchronized code path.
While requiring low-privileged credentials, the attack bypasses all kernel memory protections once memory corruption is achieved, leading to escalation to full root privileges.
Vulnerability Details and Impact
CVE-2025-38561 carries a CVSS 3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting its network attack vector, low privileges required, absence of user interaction, and potential for full system compromise.
Affected components include the ksmbd SMB2 server module in any Linux Kernel version that incorporates this SMB implementation.
Common enterprise and cloud environments often expose SMB services to broad networks, increasing the risk of credential interception or reuse to carry out the exploit.
Once exploited, an attacker attains the highest privilege level, enabling complete control over the target host.
Threat actors could install persistent backdoors, manipulate critical system files, or pivot into other networked assets.
Industrial control systems, file servers, and virtualization hosts running vulnerable kernels are particularly at risk due to their reliance on high-availability file sharing.
Mitigation and Recommendations
Linux maintainers have patched the flaw by introducing proper locking around Preauth_HashValue operations to eliminate the race condition. Administrators should urgently:
Identify and inventory all systems running the vulnerable KSMBD implementation.
Apply the latest kernel security update from the official stable branch or distribution vendor repositories.
Reboot affected hosts to load the patched kernel image.
Review network architecture to limit SMB exposure and enforce strict segmentation.
Monitor distribution advisories for backported fixes on long-term support kernels.
No viable workaround exists beyond patching. Delaying updates risks exposure of critical infrastructure and sensitive data.
Organizations relying on third-party or custom‐built kernels must coordinate with vendors to obtain timely backports.
Nicholas Zubrisky of Trend Research is credited with the responsible discovery and disclosure of CVE-2025-38561.
Immediate action will safeguard systems against potential compromise arising from this severe kernel-level vulnerability.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Tracked as CVE-2025-38561, the vulnerability impacts Linux distributions incorporating the ksmbd SMB server implementation.){kind=link}