A critical vulnerabilities in macOS SMBClient that could allow remote attackers to execute arbitrary code and crash systems through kernel-level exploits.
The vulnerabilities affect the SMB filesystem client used by macOS to mount remote file shares, representing a significant security risk for Mac users who interact with SMB networks or click malicious links.
The most severe vulnerability, designated CVE-2025-24269, involves a remote kernel heap overflow in the smb2_rq_decompress_read function within the smbfs.kext kernel extension.
This vulnerability occurs when processing compressed SMB data, where an attacker can control the compress_len parameter read directly from network communications without proper validation.
The vulnerability manifests when using chained compression with algorithms like SMB2_COMPRESSION_LZNT1, SMB2_COMPRESSION_LZ77, or SMB2_COMPRESSION_LZ77_HUFFMAN.
Attackers can specify arbitrary compression lengths, leading to heap memory corruption when the system attempts to copy more data than the allocated buffer can contain.
The overflow occurs in the xnu data heap, which provides some mitigation by restricting pointer overwrites, but still presents a serious security risk.
What makes this vulnerability particularly dangerous is that attackers can influence both the overflow quantity and the size of the allocated memory being corrupted, potentially setting initial buffer lengths up to 16MB.
This level of control significantly increases the likelihood of successful exploitation for remote code execution.
macOS SMBClient Vulnerabilities
The second vulnerability, CVE-2025-24235, affects the Kerberos Helper library used during SMB session establishment.
This vulnerability can be triggered remotely when users click on malicious smb:// URLs or through the mount_smbfs command, potentially resulting in remote code execution.
The vulnerability occurs in the _KRBDecodeNegTokenInit function, where a NegotiationToken is declared on the stack but not properly initialized.
When the gss_decapsulate_token function fails, the code jumps to cleanup routines that attempt to free uninitialized memory using _free_NegotiationToken.
This eventually calls _asn1_free() with uninitialized data as a template, providing multiple opportunities for memory manipulation.
Apple addressed this issue by implementing proper memory initialization using memset() before the NegotiationToken is used, preventing the free operation on uninitialized memory.
Local Privilege Escalation
The third vulnerability, while not assigned a CVE number, allows unprivileged users to send SIGTERM signals to any process on the system, including critical system processes like launchd.
This vulnerability exists in the SMBIOC_UPDATE_NOTIFIER_PID ioctl, which is designed to register the process ID of the mc_notifier userland process with the kernel.
According to Report, vulnerabilities occurs because the kernel doesn’t verify that the calling process has permission to signal the target process ID.
Attackers can exploit this by setting a malicious PID before mounting and unmounting an SMB filesystem, causing the kernel to send a SIGTERM signal to any chosen process. Targeting launchd with this attack immediately crashes the Mac, requiring a reboot.
Apple resolved this issue by adding entitlement checks to the SMBIOC_UPDATE_NOTIFIER_PID ioctl call, ensuring only authorized processes can update the notifier PID.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
