KSMBD Exploit: A New Vulnerability Grants Remote Control of Linux Systems

Researchers from Doyensec, together with an independent author known as BitsByWill, have publicly demonstrated a working exploitation chain that enables remote execution of code in the Linux kernel via KSMBD — the in-kernel SMB3 server. The team showcased a reliable exploit against kernel 6.1.45, achieving remote code execution with a success rate exceeding 95%, and analysed the combination of vulnerabilities that the chain leveraged.

The attack begins with an unauthenticated heap overflow in the NTLM authentication handler (CVE-2023-52440). By sending a specially crafted SMB2_SESSION_SETUP bearing an anomalous parameter, an attacker can provoke a controlled heap corruption that provides a write primitive. A second flaw — an error in the extended-attribute parser (CVE-2023-4130) — yields an out-of-bounds read primitive, allowing the extraction of heap pointers. The tandem of write and read primitives permits the adversary to defeat kernel address layout randomisation and recover kernel addresses for further exploitation.

According to the researchers, their method relies on mass-connection techniques to induce and detect a corrupted session; once a kernel base address is obtained, the attacker can construct a payload to redirect control flow from kernel space and trigger execution of arbitrary code. In their demonstrations the exploit stabilises execution using timing techniques that reduce the risk of a system crash, enabling a reliable escalation to full control.

The authors stress that KSMBD is disabled in the default configuration of many deployments, so the scenario requires an exposed service and an outdated 6.1.x kernel with KSMBD enabled to be practically exploitable. Nevertheless, where those conditions exist and network access is available from an untrusted source, the danger is real.

Practical recommendations emphasised by the team include promptly updating to kernel versions that incorporate the fixes, enabling standard hardening features (SMEP, SMAP, KPTI) and mitigations that randomise allocator freelists — measures that reduce exploit reliability though do not render the platform immune — and, where performance requirements allow, running SMB services in user space rather than in the kernel. Additional pragmatic controls are to restrict SMB access from untrusted networks, disable anonymous writes, and monitor for anomalous SMB traffic.

This case serves as a reminder of the risks inherent in embedding complex network logic within the kernel: the potential performance gains come at the cost of an expanded attack surface. System administrators should regularly audit kernel modules, apply security updates without delay, and carefully weigh the necessity of enabling KSMBD on servers reachable from outside trusted networks.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy