CVE-2025-71223 – This CVE describes a reference count leak vulne... (How to Fix)

Q: What is the severity of CVE-2025-71223?

CVE-2025-71223 has a CVSS score of N/A (Unknown). This CVE describes a reference count leak vulnerability in the Linux kernel's SMB server implementation (ksmbd). When ksmbd_vfs_getattr() fails during file operations, the system fails to properly release kernel memory references, potentially leading to resource exhaustion. This affects Linux systems running vulnerable kernel versions with ksmbd enabled.

📋 TL;DR

This CVE describes a reference count leak vulnerability in the Linux kernel's SMB server implementation (ksmbd). When ksmbd_vfs_getattr() fails during file operations, the system fails to properly release kernel memory references, potentially leading to resource exhaustion. This affects Linux systems running vulnerable kernel versions with ksmbd enabled.

💻 Affected Systems

Products:

Linux kernel with ksmbd module

Versions: Specific kernel versions containing the vulnerable code (check git commits for exact ranges)

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if ksmbd (SMB server) is enabled and in use. Many systems may not have this module loaded by default.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could trigger repeated failed file operations to exhaust kernel memory, causing system instability, denial of service, or potential kernel panic.

🟠

Likely Case

Local or remote attackers could cause gradual memory exhaustion leading to degraded system performance or service disruption.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to potential performance degradation rather than complete system failure.

🌐 Internet-Facing: MEDIUM - SMB services exposed to internet could be targeted for DoS attacks, but exploitation requires specific conditions.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to disrupt SMB file sharing services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to trigger SMB file operations that fail at the specific vulnerable code path. Likely requires authenticated access to SMB share.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing the fix commits: 2456fde2b137703328f1695f60c68fe488d17e36, 39ca11ff158c98fb092176f06047628c54bcf7a1, 4665e52bde3b1f8f442895ce7d88fa62a43e48c4, f416c556997aa56ec4384c6b6efd6a0e6ac70aa7

Vendor Advisory: https://git.kernel.org/stable/c/2456fde2b137703328f1695f60c68fe488d17e36

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify ksmbd module loads correctly.

🔧 Temporary Workarounds

Disable ksmbd module

Linux

If SMB server functionality is not required, disable the ksmbd kernel module

modprobe -r ksmbd
echo 'blacklist ksmbd' >> /etc/modprobe.d/blacklist-ksmbd.conf

Restrict SMB access

Linux

Limit SMB access to trusted networks and users only

iptables -A INPUT -p tcp --dport 445 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j DROP

🧯 If You Can't Patch

Monitor system memory usage and kernel logs for signs of memory exhaustion
Implement strict access controls on SMB shares to limit potential attack surface

🔍 How to Verify

Check if Vulnerable:

Check if ksmbd module is loaded: lsmod | grep ksmbd. If loaded, check kernel version against patched versions.

Check Version:

uname -r

Verify Fix Applied:

After patching, verify kernel version includes fix commits and test SMB functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Kernel oom-killer messages
Memory allocation failures in dmesg
ksmbd error logs

Network Indicators:

Unusual SMB connection patterns
Repeated failed file operations

SIEM Query:

source="kernel" AND ("oom" OR "out of memory") AND process="ksmbd"

📊 Metadata

CVE ID: CVE-2025-71223

CVSS v3 Score: N/A (Unknown)

Published: February 14, 2026

Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON