Skip to main content

Linux CVE-2025-37778

HIGH
Use After Free (CWE-416)
2025-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:46 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 18, 2026 - 09:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
May 01, 2025 - 14:15 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: Fix dangling pointer in krb_authenticate

krb_authenticate frees sess->user and does not set the pointer to NULL. It calls ksmbd_krb5_authenticate to reinitialise sess->user but that function may return without doing so. If that happens then smb2_sess_setup, which calls krb_authenticate, will be accessing free'd memory when it later uses sess->user.

AnalysisAI

Use-after-free in Linux kernel ksmbd (SMB server) allows authenticated local attackers to corrupt memory and potentially execute arbitrary code. The vulnerability occurs in krb_authenticate when Kerberos authentication fails to reinitialize a freed session pointer, leading to dangling pointer dereference. Upstream patches available from kernel.org for affected versions including 6.15-rc1/rc2. EPSS score is low (0.07%) with no confirmed active exploitation, but the high CVSS 7.8 reflects serious local privilege escalation potential. Debian and Ubuntu have issued advisories.

Technical ContextAI

This vulnerability affects ksmbd, the in-kernel SMB3 server implementation in Linux (userspace alternative to Samba). The flaw is a classic use-after-free (CWE-416) in the Kerberos authentication code path. When krb_authenticate frees sess->user but ksmbd_krb5_authenticate subsequently fails to reinitialize it, the pointer becomes dangling. Later access in smb2_sess_setup dereferences freed heap memory, enabling memory corruption. Use-after-free bugs are particularly dangerous because the freed memory may be reallocated to an attacker-controlled object, allowing arbitrary read/write primitives. The vulnerability exists in the SMB2 session setup handler, which processes client authentication during SMB connection establishment. CPE data shows impact across multiple kernel versions including release candidates 6.15-rc1 and 6.15-rc2, plus stable branches. The bug requires ksmbd module to be loaded and Kerberos authentication to be configured.

RemediationAI

Apply vendor-supplied kernel updates immediately for systems running ksmbd. Upstream fixes available from kernel.org git stable tree: commits 1db2451de23e, 1e440d5b25b7, 6e30c0e10210, d5b554bc8d55, and e83e39a5f6a0 address the issue across different kernel branches (https://git.kernel.org/stable/c/1db2451de23e98bc864c6a6e52aa0d82c91cb325 and related commits). Debian users should upgrade per debian-lts-announce 2025/05/msg00045.html. Ubuntu users should apply security updates from USN-8126-1. For systems where immediate patching is not feasible, disable ksmbd module entirely with 'rmmod ksmbd' and blacklist it in /etc/modprobe.d/ - this prevents all SMB server functionality but eliminates exposure; organizations requiring SMB file sharing should fall back to userspace Samba daemon which is not affected. Alternatively, disable Kerberos authentication in ksmbd configuration (ksmbd.conf) and use NTLM-only authentication as a temporary workaround, though this reduces security posture for legitimate authentication and may not be acceptable in domain environments; this mitigation assumes the vulnerability is specific to the Kerberos code path in krb_authenticate. Monitor for kernel updates from your distribution and prioritize deployment on multi-user systems where local attackers may have existing low-privilege access.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2025-37778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy