CVE-2025-71204
📋 TL;DR
A refcount leak vulnerability in the Linux kernel's SMB server component (ksmbd) could lead to resource exhaustion or denial of service. When specific replay operations fail with -ENOEXEC error, the kernel fails to properly release file handle references, causing memory leaks. This affects Linux systems running ksmbd SMB server functionality.
💻 Affected Systems
- Linux kernel with ksmbd SMB server module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could exhaust kernel memory resources, leading to system instability, crashes, or denial of service for SMB file sharing services.
Likely Case
Gradual memory consumption over time affecting SMB server performance, potentially causing service degradation or intermittent failures.
If Mitigated
Minimal impact with proper monitoring and resource limits; isolated to SMB server functionality.
🎯 Exploit Status
Exploitation requires triggering specific SMB replay operations that return -ENOEXEC errors. Attacker would need SMB client access and ability to craft replay requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 07df5ff4f6490a5c96715b7c562e0b2908422e04 or later
Vendor Advisory: https://git.kernel.org/stable/c/07df5ff4f6490a5c96715b7c562e0b2908422e04
Restart Required: No
Instructions:
1. Update Linux kernel to version containing fix commits. 2. For distributions: Apply security updates from vendor. 3. Rebuild and reload ksmbd module if using custom kernel.
🔧 Temporary Workarounds
Disable ksmbd module
allUnload ksmbd kernel module to eliminate vulnerability surface
sudo rmmod ksmbd
echo 'blacklist ksmbd' | sudo tee /etc/modprobe.d/ksmbd-blacklist.conf
Restrict SMB access
allLimit SMB server exposure using firewall rules
sudo iptables -A INPUT -p tcp --dport 445 -j DROP
sudo iptables -A INPUT -p tcp --dport 139 -j DROP
🧯 If You Can't Patch
- Monitor system memory usage and ksmbd process for abnormal growth
- Implement rate limiting on SMB connections to reduce attack surface
🔍 How to Verify
Check if Vulnerable:
Check if ksmbd module is loaded: lsmod | grep ksmbd. If loaded, check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel contains fix commits: git log --oneline | grep -E '07df5ff4f649|3296c3012a9d|70dd3513ed6a|8a15107c4c03'📡 Detection & Monitoring
Log Indicators:
- Kernel oom-killer events
- ksmbd memory allocation failures in dmesg
- SMB session replay errors
Network Indicators:
- Abnormal SMB replay request patterns
- Multiple failed SMB operations with specific error codes
SIEM Query:
source="kernel" AND ("oom" OR "ksmbd" AND "memory") OR source="smb" AND "replay" AND "ENOEXEC"