Critical macOS SMBClient Flaws Allow Remote Code Execution & Kernel Crashes

Security researchers have uncovered critical vulnerabilities in SMBClient for macOS that affect both user space and the operating system kernel. These flaws potentially allow for remote execution of arbitrary code and the termination of vital system processes. Given that SMB has become the preferred file-sharing protocol on macOS since the release of Big Sur, a broad user base is likely exposed.

SMBClient encompasses a suite of components—including user-level processes and kernel drivers—designed to interface with network-based file systems. A significant portion of its code interacts directly with the kernel, thereby exposing additional vectors for exploitation. Notably, these vulnerabilities can be triggered with minimal user interaction, such as clicking on a maliciously crafted smb:// link.

The first identified vulnerability, tracked as CVE-2025-24269 (CVSS score: 9.8), resides in the smbfs.kext macOS kernel extension. The flaw lies in the smb2_rq_decompress_read function, where improper validation of incoming data lengths may occur when handling compressed data using algorithms like LZNT1, LZ77, or LZ77_Huffman. A particular field, compress_len, is read from a network packet but not validated before its contents are copied into a buffer (compress_startp). The use of the SMB_MALLOC_DATA macro for memory allocation enables the attacker to control the buffer size—potentially allocating up to 16MB.

This leads to a heap overflow within the xnu kernel’s dynamic memory region—a zone fortified with protections to limit pointer manipulation. Nonetheless, researchers caution that exploitation remains possible. An attacker needs only to trick a user into clicking a malicious smb:// URL to initiate interaction with a compromised server and trigger the delivery of crafted packets.

The second vulnerability, CVE-2025-24235 (CVSS score: 5.5), affects the Kerberos Helper library used during SMB session establishment. The flaw stems from a classic security misstep—freeing an uninitialized stack variable. During authentication token parsing within the _KRBDecodeNegTokenInit function, a failed call to _gss_decapsulate_token still proceeds to a memory-freeing block. There, _free_NegotiationToken attempts to release uninitialized memory.

Further analysis revealed that this routine ultimately invokes the asn1_free function from the Heimdal library to process ASN.1 structures. Since the structure in question was never initialized, this can result in uncontrolled memory access and possibly lead to arbitrary code execution. An attack could be launched via typical SMB connection mechanisms, such as visiting an smb:// link or mounting a share using mount_smbfs.

The third flaw—though not yet assigned a CVE—was likewise deemed critical. It pertains to a flawed implementation of the mc_notifier registration mechanism within the smbfs module. This service handles notifications during the unmounting of network resources. Any user, regardless of privilege level, could issue an ioctl request (SMBIOC_UPDATE_NOTIFIER_PID) to register an arbitrary process ID. If the share is later unmounted, the kernel sends a SIGTERM signal to the registered process.

The crux of the problem lies in the kernel’s failure to verify the caller’s privileges and the validity of the provided PID. This oversight allows an attacker to terminate nearly any system process—including the essential launchd, which manages both user and system services. As a result, the system becomes unresponsive and requires a reboot. Exploiting this vulnerability merely requires access to the device and the ability to open /dev/nsmb, a capability often permitted even within user sandbox environments.

Apple has already addressed all three issues. The SMB packet handler now includes length validation to prevent buffer overflows. The Kerberos Helper library clears the NegotiationToken structure before use and release, mitigating the uninitialized memory risk. Meanwhile, user permission checks have been introduced for the mc_notifier registration mechanism to prevent unauthorized process termination.

It’s worth noting that SMB handling on iOS differs architecturally. The protocol is confined to user-space applications—such as the Files app and associated frameworks—and does not interface with the kernel. While this limits the exploitability of such flaws on Apple’s mobile devices, the broader principles of secure interaction between kernel and user space remain universally relevant.

These discoveries underscore the critical importance of rigorous coordination between user-space and kernel-level components—particularly when dealing with network protocols and potential vectors for remote exploitation.