A high-severity vulnerability has been disclosed in the Linux Kernel’s ksmbd module that can be exploited by authenticated attackers to achieve remote code execution.
Tracked as CVE-2025-38561, the flaw stems from a race condition in the handling of the Preauth_HashValue field during SMB2 session setup.
With a CVSS 3.1 score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), the vulnerability poses a significant threat to systems running the affected kernel versions.
The underlying issue resides in the ksmbd implementation of the SMB2 session setup handshake. When processing the Preauth_HashValue, the code fails to acquire proper synchronization locks before accessing shared data structures.
This absence of locking creates a window in which concurrent operations can corrupt internal state or hijack execution flow.
In practice, an attacker with valid SMB credentials can race the kernel’s operations to inject malicious pointers or payloads.
Once the race succeeds, control transfers to attacker-supplied code within kernel context, granting privileges equivalent to those of the kernel itself.
Key factors enabling exploitation include:
Although complexity is moderate given that the attacker must coordinate multiple concurrent SMB2 session setup requests the impact of arbitrary code execution at the kernel level cannot be overstated.
Successful exploitation could lead to full system compromise, data exfiltration, or deployment of persistent rootkits.
The vulnerability affects all active Linux Kernel releases that include the ksmbd module and support SMB2 operations.
This encompasses kernels in enterprise distributions and custom builds that integrate ksmbd for SMB file sharing.
Linux maintainers have responded swiftly: on September 24, 2025, an advisory was issued alongside patched kernel commits.
These updates introduce proper mutex locking around the Preauth_HashValue handling routines, effectively eliminating the race window exploited by attackers.
Administrators should take the following steps immediately:
44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6Users are strongly advised to upgrade to the latest stable kernel release as soon as possible. Distribution maintainers for major Linux vendors, including those offering commercial support, have begun rolling out updated packages.
Kernel updates can be applied through standard package management tools or by manually compiling from the official Linux stable git repository.
Administrators should verify that their systems no longer contain the vulnerable ksmbd code paths by checking for the commit identifier 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 in their kernel source.
The vulnerability was initially reported to Linux kernel developers on July 22, 2025, by Nicholas Zubrisky of Trend Research through the Zero Day Initiative (ZDI) program.
ZDI assigned the issue identifier ZDI-CAN-27661 and published its own advisory under ZDI-25-916 upon coordinated disclosure. On September 24, 2025, both ZDI and Linux maintainers released full details and patches for public consumption.
The joint release underscores industry best practices for responsible disclosure, allowing administrators to prepare mitigation strategies in advance of public announcement.
Nicholas Zubrisky’s research into ksmbd’s synchronization mechanisms has helped close a critical security gap in one of the most widely deployed open-source kernels.
System operators running SMB services on Linux are urged to prioritize patch deployment and review network access controls to limit exposure to authenticated sessions.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…