CVE-2025-37778

HIGH
2025-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
May 01, 2025 - 14:15 nvd
HIGH 7.8

Tags

Linux Use After Free Denial Of Service Debian Linux Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix dangling pointer in krb_authenticate krb_authenticate frees sess->user and does not set the pointer to NULL. It calls ksmbd_krb5_authenticate to reinitialise sess->user but that function may return without doing so. If that happens then smb2_sess_setup, which calls krb_authenticate, will be accessing free'd memory when it later uses sess->user.

Analysis

A use-after-free vulnerability exists in the Linux kernel's ksmbd implementation where the krb_authenticate function can leave a dangling pointer to freed memory in sess->user, leading to memory corruption when the pointer is later accessed. This vulnerability affects Linux kernel versions from 5.15 up to 6.15-rc2 and allows a local attacker with low privileges to potentially achieve privilege escalation or cause system crashes. With a low EPSS score of 0.07% and no known active exploitation, this represents a moderate priority issue despite the high CVSS score.

Technical Context

The vulnerability occurs in ksmbd, the kernel-mode SMB3 server implementation in Linux, specifically within the Kerberos authentication handling code. According to the CPE data, affected systems include Linux kernel versions 5.15.x through 6.15-rc2 and Debian 11. The issue is classified as CWE-416 (Use After Free), where krb_authenticate frees the sess->user pointer but fails to set it to NULL, and subsequent calls to ksmbd_krb5_authenticate may return without reinitializing it, leaving the dangling pointer accessible to later code in smb2_sess_setup.

Affected Products

Linux kernel versions from 5.15 through 6.15-rc2 are affected by this vulnerability, as confirmed by the CPE entries cpe:2.3:o:linux:linux_kernel with version ranges 5.15.0 to 5.15.174, 6.1.0 to 6.1.119, 6.6.0 to 6.6.66, 6.12.0 to 6.12.5, and 6.15-rc1/rc2. Debian Linux 11.0 is also affected as indicated by cpe:2.3:o:debian:debian_linux:11.0. Multiple stable kernel branches have patches available as referenced in the git.kernel.org links provided.

Remediation

Apply the available kernel patches from the vendor by upgrading to the fixed versions in each affected branch: 5.15.175 or later, 6.1.120 or later, 6.6.67 or later, 6.12.6 or later, or 6.15-rc3 or later. Patches are available at the git.kernel.org stable tree commits referenced (1db2451de23e, 1e440d5b25b7, 6e30c0e10210, d5b554bc8d55, e83e39a5f6a0). Debian users should monitor the debian-lts-announce list for security updates. As a temporary mitigation, consider disabling ksmbd if SMB3 serving functionality is not required.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +39
POC: 0

Vendor Status

Share

CVE-2025-37778 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy