A severe vulnerability in the Linux kernel’s ksmbd SMB server implementation has been disclosed, potentially allowing authenticated remote attackers to execute arbitrary code on affected systems.
The vulnerability, tracked as CVE-2025-38561 and assigned a CVSS score of 8.5, represents a significant security risk for Linux systems utilizing the kernel-based SMB server functionality.
The flaw disclosed by the Zero Day initiative stems from improper handling of the Preauth_HashValue field within the smb2_sess_setup function.
This race condition vulnerability occurs due to inadequate locking mechanisms when performing operations on kernel objects, creating an opportunity for attackers to manipulate memory structures and achieve code execution within kernel context.
Linux Ksmbd Vulnerability (CVE-2025-38561)
The vulnerability specifically targets the ksmbd service, which provides in-kernel SMB server functionality as an alternative to the traditional Samba implementation.
Unlike user-space SMB servers, ksmbd operates directly within the kernel space, making successful exploitation particularly dangerous as it grants attackers kernel-level privileges.
The attack requires initial authentication to the SMB service, meaning attackers must possess valid credentials or successfully authenticate through other means before triggering the vulnerability.
Once authenticated, the race condition in the session setup process can be exploited to corrupt memory structures and redirect code execution flow.
Technical analysis reveals that the vulnerability manifests during SMB2 session establishment when the server processes authentication hash values.
The lack of proper synchronization between concurrent operations creates a window where memory corruption can occur, potentially leading to arbitrary code execution with kernel privileges.
The vulnerability disclosure follows responsible disclosure practices, with researcher Nicholas Zubrisky of Trend Research reporting the issue to Linux maintainers on July 22, 2025.
| Risk Factors | Details |
| Affected Products | Linux Kernel (ksmbd SMB server implementation) |
| Impact | Remote Code Execution |
| Exploit Prerequisites | Authentication required – Valid SMB credentials needed to access ksmbd service |
| CVSS 3.1 Score | 8.5 (High) |
Mitigations
Linux maintainers have released patches addressing this vulnerability, with the fix available in the stable kernel tree under commit 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6.
System administrators should prioritize updating their Linux kernels to versions containing this security fix, particularly on systems exposed to untrusted networks or users.
Organizations utilizing ksmbd for file-sharing services should implement additional security measures, including network segmentation, strict authentication controls, and monitoring for suspicious SMB traffic patterns.
Consider temporarily disabling ksmbd services on non-critical systems until patching can be completed.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Autonomous Endpoint Management Tools in 2025")
