Login Sign Up

CVE-2025-38191

5.5 MEDIUM
Denial of Service

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's ksmbd module allows denial-of-service attacks when clients set PreviousSessionId during Kerberos session setup. This affects systems using the ksmbd SMB server module. Attackers can crash the kernel module, disrupting SMB file sharing services.

💻 Affected Systems

Products:
  • Linux kernel with ksmbd module
Versions: Linux kernel versions with vulnerable ksmbd code (specific versions not specified in CVE)
Operating Systems: Linux distributions with ksmbd module enabled
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when ksmbd module is loaded and configured for SMB sharing with Kerberos authentication

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and complete service disruption

🟠

Likely Case

Kernel module crash causing SMB service interruption requiring module restart

🟢

If Mitigated

Isolated module crash with automatic restart if configured, minimal service impact

🌐 Internet-Facing: MEDIUM - Requires SMB service exposure and Kerberos authentication
🏢 Internal Only: MEDIUM - Internal attackers with network access to SMB services can exploit

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires ability to initiate Kerberos SMB session setup with PreviousSessionId set

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel with commit 076f1adefb9837977af7ed233883842ddc446644 or later

Vendor Advisory: https://git.kernel.org/stable/c/076f1adefb9837977af7ed233883842ddc446644

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version 2. Reboot system 3. Verify ksmbd module loads correctly

🔧 Temporary Workarounds

Disable ksmbd module

linux

Prevent loading of vulnerable ksmbd kernel module

echo 'blacklist ksmbd' >> /etc/modprobe.d/blacklist-ksmbd.conf
rmmod ksmbd

Disable Kerberos authentication

linux

Configure ksmbd to use only non-Kerberos authentication methods

Edit ksmbd configuration to disable Kerberos options

🧯 If You Can't Patch

  • Restrict SMB network access to trusted clients only
  • Implement network segmentation to isolate SMB services

🔍 How to Verify

Check if Vulnerable:

Check if ksmbd module is loaded: lsmod | grep ksmbd

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fix commit: grep -q '076f1adefb9837977af7ed233883842ddc446644' /proc/version

📡 Detection & Monitoring

Log Indicators:

  • Kernel oops messages
  • ksmbd module crash logs
  • SMB service interruption logs

Network Indicators:

  • Unexpected SMB session setup packets with PreviousSessionId
  • SMB service unavailability

SIEM Query:

source="kernel" AND ("NULL pointer dereference" OR "ksmbd" OR "oops")

📊 Metadata

CVE ID: CVE-2025-38191
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
EPSS Score: 0.02% exploit probability (4.8th percentile)
Published: July 4, 2025
Last Updated: December 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38191, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)