How CVE-2025-22037 Works
The vulnerability exists in the ksmbd (kernel SMB daemon) component of the Linux kernel. When a malicious client sends a malformed SMB2 negotiate request, ksmbd returns an error response but fails to properly handle subsequent session setup requests. The issue occurs because conn->preauth_info isn’t allocated during the failed negotiation phase, yet the system still processes session setup requests. This leads to a null pointer dereference in alloc_preauth_hash() when attempting to access uninitialized memory. The kernel patch adds KSMBD_SESS_NEED_SETUP status checking to prevent session setup processing before successful negotiation completion.
DailyCVE Form
Platform: Linux Kernel
Version: pre-5.15.90
Vulnerability: Null Dereference
Severity: Critical
Date: 04/16/2025
What Undercode Say:
Exploitation Analysis:
- Crafted SMB2 negotiate packet triggers error state
- Follow-up session setup request bypasses checks
- Kernel crashes accessing NULL preauth_info
- Potential for RCE in certain configurations
Protection Commands:
1. `sudo apt-get update && sudo apt-get upgrade linux-image-$(uname -r)`
2. `modprobe -r ksmbd && echo “blacklist ksmbd” >> /etc/modprobe.d/blacklist.conf`
3. `iptables -A INPUT -p tcp –dport 445 -j DROP`
Detection Script:
!/bin/bash
KERNEL_VER=$(uname -r)
if [[ $(echo "$KERNEL_VER" | awk -F. '{print $1$2$3}') -lt 51590 ]]; then
echo "Vulnerable kernel detected"
grep -q "ksmbd" /proc/modules && echo "ksmbd module loaded"
fi
Mitigation Code:
// Kernel patch snippet
+ if (conn->status != KSMBD_SESS_NEED_SETUP) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ return -EINVAL;
+ }
Debugging Commands:
1. `dmesg | grep -i ksmbd`
2. `cat /proc/kallsyms | grep alloc_preauth_hash`
3. `strace -f -e trace=network -p $(pgrep ksmbd)`
Vulnerability Checks:
- Verify kernel version with `uname -a`
– Check ksmbd module status `lsmod | grep ksmbd`
– Test SMB service with `smbclient -L //localhost`
Impact Assessment:
- Denial of Service (kernel panic)
- Potential privilege escalation
- Affects systems with ksmbd enabled
- Requires no authentication
Patch Verification:
git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cd linux git grep "KSMBD_SESS_NEED_SETUP" -- fs/ksmbd/
Network Protection:
table inet smb_protect {
chain input {
type filter hook input priority 0;
tcp dport {445, 139} drop
}
}
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
