Security researcher Norbert Szetei has unveiled a fully functional proof-of-concept exploit for CVE-2025-37947, a deterministic out-of-bounds write vulnerability in the Linux kernel’s ksmbd filesystem module.
Unlike previous Ksmbd flaws that hinged on unreliable race conditions or environmental dependencies, this defect delivers a straightforward OOB write primitive.
Szetei’s PoC, tested on Ubuntu 22.04.5 LTS with kernel 5.15.0-153-generic, reliably achieves local root by overflowing a zero-initialized buffer allocated via kvmalloc() when streams_xattr is enabled.
Root Cause and Exploitation
The vulnerability stems from the ksmbd_vfs_stream_write() function in fs/ksmbd/vfs.c.
When an SMB share is configured with vfs objects = streams_xattr, the code enforces a maximum total size of XATTR_SIZE_MAX (0x10000) but still permits writes beyond this limit.
Specifically, the function sets *pos to 0x10000 and count to 8, then executes:
cmemcpy(&stream_buf[*pos], buf, count);
This memcpy invocation writes eight bytes past the end of the allocated buffer.
By precisely shaping the heap through SLUB allocator manipulation, Szetei ensures that the overflow lands adjacent to a targeted order-4 slab object.
In his exploit, that object is a primary msg_msg kernel message, setting up controlled pointer corruption.
The exploit proceeds with an orchestrated spray, free, and reclaim sequence to trigger a use-after-free, followed by kernel memory leaks to bypass SMAP, SMEP, and KASLR.
A final stack pivot and ROP chain culminate in privileged code execution.
Szetei’s PoC was validated on a standard Ubuntu desktop environment running kernel 5.15.0-153-generic.
A writable SMB share was created with the streams_xattr module enabled, and valid user credentials were supplied.
Upon execution, the exploit overflowed the zero-initialized buffer, corrupted adjacent kernel structures, and achieved root privileges.
The complete exploit flow and source code are hosted on GitHub, offering researchers and defenders a detailed roadmap of the attack stages.
CVE-2025-37947 poses a severe risk in environments running vulnerable kernels with SMB shares relying on ksmbd and extended attribute streams.
Because it only requires authenticated access and minimal share configuration, standard user accounts can escalate to root privileges, compromising host integrity.
Organizations should prioritize upstream patches or distribution updates.
As an interim safeguard, disabling the streams_xattr module or revoking write permissions on SMB shares prevents the trigger condition.
| CVE | Description | Affected Kernel Versions | CVSS 3.1 Score | Exploit Prerequisites |
|---|---|---|---|---|
| CVE-2025-37947 | OOB write in ksmbd_vfs_stream_write() when streams_xattr is enabled, leading to LPE | Linux 5.15.0 through 6.x (pre-patch) | 7.8 | Authenticated SMB user; writable share with streams_xattr enabled |
Monitoring /var/log/kern.log For OOB write traces and unusual SMB activity can aid in detection.
Enforcing least-privilege SMB account policies and isolating mission-critical systems from untrusted networks further reduces exposure until full remediation is confirmed.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Szetei’s PoC, tested on Ubuntu 22.04.5 LTS with kernel 5.15.0-153-generic, reliably achieves local root by overflowing a zero-initialized buffer allocated via kvmalloc() when streams_xattr is enabled.){kind=link}