CVE-2021-47568
📋 TL;DR
This CVE describes a memory leak vulnerability in the Linux kernel's ksmbd module within the get_file_stream_info() function. It affects systems using the ksmbd SMB server implementation, potentially leading to resource exhaustion over time. The vulnerability is present in specific kernel versions before patches were applied.
💻 Affected Systems
- Linux kernel with ksmbd module enabled
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could cause kernel memory exhaustion, leading to system instability, denial of service, or crashes requiring reboot.
Likely Case
Gradual memory consumption over time in systems with heavy SMB file operations, potentially causing performance degradation.
If Mitigated
Minimal impact with proper monitoring and patching; memory leaks would be detected and addressed before causing system issues.
🎯 Exploit Status
Exploitation requires ability to trigger the vulnerable function through SMB operations; no public exploits known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits 11e659827c3a2facb3a04e08cc97ff14d5091f51 and 178ca6f85aa3231094467691f5ea1ff2f398aa8d
Vendor Advisory: https://git.kernel.org/stable/c/11e659827c3a2facb3a04e08cc97ff14d5091f51
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check with your distribution for backported patches. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Disable ksmbd module
linuxUnload the ksmbd kernel module if not required for SMB server functionality
sudo rmmod ksmbd
echo 'blacklist ksmbd' | sudo tee /etc/modprobe.d/blacklist-ksmbd.conf
Use alternative SMB server
linuxReplace ksmbd with samba or other SMB server implementation
sudo systemctl disable ksmbd
sudo systemctl stop ksmbd
sudo apt-get install samba
🧯 If You Can't Patch
- Monitor system memory usage and kernel logs for signs of memory exhaustion
- Restrict SMB access to trusted networks and users only
🔍 How to Verify
Check if Vulnerable:
Check if ksmbd module is loaded: lsmod | grep ksmbd. Check kernel version: uname -r and compare with distribution's patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or check with distribution's security advisories. Confirm ksmbd module version if available.📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer events
- Increasing memory usage in /proc/meminfo
- ksmbd process memory growth in process monitors
Network Indicators:
- Unusual SMB request patterns targeting file stream operations
SIEM Query:
source="kernel" AND ("oom" OR "out of memory") OR process="ksmbd" AND memory_usage>threshold