Critical Flaw in Linux ksmbd (CVE-2025-38561) Enables Remote Code Execution in the Kernel

Researcher Nicholas Zubriski of Trend Research has disclosed a critical flaw in the ksmbd component of the Linux kernel, enabling attackers to remotely execute arbitrary code with the highest system privileges. The vulnerability, tracked as CVE-2025-38561, affects all Linux distributions that rely on the built-in ksmbd-based SMB server.

The issue stems from improper handling of the Preauth_HashValue field during SMB2 session establishment. Developers introduced a threading synchronization error: the absence of proper memory locks created a race condition, allowing multiple processes to simultaneously modify the same object. This resulted in memory corruption and execution flow manipulation, ultimately permitting arbitrary code execution within kernel space.

Although exploitation requires valid credentials, the severity remains high. Many organizations expose SMB services across both internal and external networks, making credential theft or reuse a realistic threat vector. A successful attack grants full system control, including the ability to implant persistent malware or disable critical infrastructure.

The vulnerability was privately reported on July 22, 2025, with public disclosure following on September 24 after coordinated advisories were issued. It carries a CVSS score of 8.5, reflecting its network vector, low privilege requirements, and lack of user interaction.

Fixes have already been incorporated into the latest Linux kernel versions. Developers introduced proper locking mechanisms to prevent race conditions during Preauth_HashValue handling. Administrators are strongly advised to:

• Identify systems running vulnerable kernel versions;
• Immediately apply the latest updates from the stable branch or distribution maintainers;
• Reboot affected machines to activate patches;
• Reassess and, if necessary, restrict SMB service exposure through network segmentation.

No temporary mitigations or workarounds exist: upgrading the kernel is the only remedy. Users of long-term support distributions must monitor their vendors closely for incoming security patches.

Nicholas Zubriski has been commended for his responsible disclosure, while the Linux community emphasizes that prompt administrative response is essential to safeguard enterprise environments and storage servers.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy