CVE-2025-22037
📋 TL;DR
A null pointer dereference vulnerability in the Linux kernel's ksmbd SMB server allows attackers to crash the kernel by sending a malformed SMB2 negotiate request followed by a session setup request. This affects Linux systems running ksmbd (in-kernel SMB server) with the vulnerable code. The vulnerability can lead to denial of service.
💻 Affected Systems
- Linux kernel with ksmbd module
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and complete denial of service, requiring physical or remote console access to reboot.
Likely Case
Kernel crash causing service disruption and potential data loss for active SMB connections.
If Mitigated
Minimal impact if ksmbd is not enabled or if network access is restricted.
🎯 Exploit Status
Exploitation requires sending specific malformed SMB packets. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 8f216b33a5e1b3489c073b1ea1b3d7cb63c8dc4d and related fixes
Vendor Advisory: https://git.kernel.org/stable/c/8f216b33a5e1b3489c073b1ea1b3d7cb63c8dc4d
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Reboot system. 3. Verify ksmbd module loads the patched version.
🔧 Temporary Workarounds
Disable ksmbd module
linuxPrevent loading of the vulnerable ksmbd kernel module
echo 'blacklist ksmbd' >> /etc/modprobe.d/blacklist-ksmbd.conf
rmmod ksmbd
Block SMB ports at firewall
linuxPrevent external access to SMB services
iptables -A INPUT -p tcp --dport 445 -j DROP
iptables -A INPUT -p tcp --dport 139 -j DROP
🧯 If You Can't Patch
- Disable ksmbd service if not required
- Implement network segmentation to restrict SMB access to trusted hosts only
🔍 How to Verify
Check if Vulnerable:
Check if ksmbd module is loaded: lsmod | grep ksmbd. If loaded, check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: uname -r and check git commit history. Confirm ksmbd module version.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages or dmesg
- ksmbd crash logs
- Unexpected SMB negotiate failures
Network Indicators:
- Malformed SMB2 negotiate packets followed by session setup requests
- Unusual SMB traffic patterns
SIEM Query:
source="kernel" AND "panic" OR "Oops" AND "ksmbd" OR source="ksmbd" AND "error"🔗 References
- https://git.kernel.org/stable/c/8f216b33a5e1b3489c073b1ea1b3d7cb63c8dc4d
- https://git.kernel.org/stable/c/b8eb243e670ecf30e91524dd12f7260dac07d335
- https://git.kernel.org/stable/c/c8b5b7c5da7d0c31c9b7190b4a7bba5281fc4780
- https://git.kernel.org/stable/c/ca8bed31edf728a662ef9d6f39f50e7a7dc2b5ad
- https://git.kernel.org/stable/c/cce57cd8c5dead24127cf2308fdd60fcad2d6ba6
- https://www.zerodayinitiative.com/advisories/ZDI-25-310/
