CVE-2025-37947

HIGH
2025-05-20 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
May 20, 2025 - 16:15 nvd
HIGH 7.8

Tags

Linux Buffer Overflow Debian Linux Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned.

Analysis

A boundary validation vulnerability in the Linux kernel's ksmbd (in-kernel SMB server) allows authenticated local users to perform out-of-bounds memory writes when handling stream data operations. The flaw occurs when write offsets exceed existing stream data boundaries, potentially leading to memory corruption with high impact on system confidentiality, integrity, and availability (CVSS 7.8). A proof-of-concept exploit is publicly available on GitHub, though real-world exploitation probability remains low at 0.03% according to EPSS data.

Technical Context

The vulnerability affects ksmbd, the Linux kernel's built-in SMB/CIFS server implementation that allows Linux systems to serve files to Windows clients. The flaw resides in the ksmbd_vfs_stream_write() function which failed to validate whether the write offset position (*pos) was within bounds of the existing stream data length (v_len). This represents a classic CWE-787 out-of-bounds write vulnerability where boundary checks are missing before memory operations. Based on CPE data, the vulnerability affects Linux kernel versions up through 6.15-rc5 across multiple branches, including the stable 5.15.x, 6.1.x, 6.6.x, and 6.11.x series, as well as Debian Linux 11.0.

Affected Products

The vulnerability affects Linux kernel versions from 5.15 up to but not including the patched versions, specifically impacting kernels 5.15.x before 5.15.177, 6.1.x before 6.1.123, 6.6.x before 6.6.69, 6.11.x before 6.11.12, and all 6.15 release candidates through rc5. Debian Linux 11.0 (Bullseye) is also confirmed affected per the CPE data and has issued a security update through their LTS announcement. Any Linux system running the affected kernel versions with ksmbd enabled for SMB/CIFS file sharing functionality is vulnerable.

Remediation

Update the Linux kernel to the patched versions: 5.15.177 or later for the 5.15.x branch, 6.1.123 or later for 6.1.x, 6.6.69 or later for 6.6.x, or 6.11.12 or later for 6.11.x. Debian 11 users should apply the update referenced in the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html. As a temporary mitigation, disable ksmbd if SMB file sharing is not required, or restrict local access to trusted users only. The vendor patches are available through the kernel.org Git repositories linked in the references.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: 0

Vendor Status

Share

CVE-2025-37947 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy