Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix type confusion via race condition when using ipc_msg_send_request

req->handle is allocated using ksmbd_acquire_id(&ipc_ida), based on
ida_alloc. req->handle from ksmbd_ipc_login_request and
FSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion
between messages, resulting in access to unexpected parts of memory after
an incorrect delivery. ksmbd check type of ipc response but missing add
continue to check next ipc reponse.
Published: 2025-04-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch kernel
AI Analysis

Impact

The Linux kernel includes a race condition in the ksmbd SMB server component that can cause type confusion between IPC messages. When req->handle values overlap, an attacker can trick the system into reading or writing unintended memory locations, potentially leading to data corruption or arbitrary code execution. The flaw arises because ksmbd fails to correctly validate the type of certain IPC responses.

Affected Systems

Vulnerable kernel versions include all Linux kernels up to and including the 6.14 development releases 6.14 rc1 through rc5. The bug is present until the upstream patch is merged into a stable release, and any kernel distribution shipping one of these affected revisions is impacted.

Risk and Exploitability

The CVSS score of 8.1 marks this as a high‑severity issue, but the EPSS score of less than 1 percent indicates a low likelihood of widespread exploitation at present. The vulnerability is not yet listed in CISA’s KEV catalog. Exploitation would likely require sending specially crafted SMB IPC requests that trigger the race condition, a technique that could be performed remotely against an exposed ksmbd service or locally on a system with privileged access.

Generated by OpenCVE AI on April 28, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a patched release that includes the ksmbd race‑condition fix.
  • Terminate or disable the ksmbd SMB server if the system does not require it.
  • Configure host‑based firewalls to block SMB IPC traffic to the machine.

Generated by OpenCVE AI on April 28, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4193-1 linux-6.1 security update
Debian DSA Debian DSA DSA-5900-1 linux security update
EUVD EUVD EUVD-2025-9374 In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix type confusion via race condition when using ipc_msg_send_request req->handle is allocated using ksmbd_acquire_id(&ipc_ida), based on ida_alloc. req->handle from ksmbd_ipc_login_request and FSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion between messages, resulting in access to unexpected parts of memory after an incorrect delivery. ksmbd check type of ipc response but missing add continue to check next ipc reponse.
Ubuntu USN Ubuntu USN USN-7605-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7605-2 Linux kernel (Low Latency) vulnerabilities
Ubuntu USN Ubuntu USN USN-7606-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7628-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-7764-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7764-2 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-7765-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-7766-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7767-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7767-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7779-1 Linux kernel (IBM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7790-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-7800-1 Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7801-1 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-7802-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-7801-2 Linux kernel (Oracle) vulnerabilities
Ubuntu USN Ubuntu USN USN-7809-1 Linux kernel (Azure, N-Series) vulnerabilities
Ubuntu USN Ubuntu USN USN-7801-3 Linux kernel (Oracle) vulnerabilities
History

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 01 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 21 Apr 2025 02:45:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Low

 threat_severity

Moderate

Thu, 10 Apr 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 02 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Tue, 01 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix type confusion via race condition when using ipc_msg_send_request req->handle is allocated using ksmbd_acquire_id(&ipc_ida), based on ida_alloc. req->handle from ksmbd_ipc_login_request and FSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion between messages, resulting in access to unexpected parts of memory after an incorrect delivery. ksmbd check type of ipc response but missing add continue to check next ipc reponse.
Title ksmbd: fix type confusion via race condition when using ipc_msg_send_request
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T08:39:27.794Z

Reserved: 2024-12-29T08:45:45.790Z

Link: CVE-2025-21947

cve-icon Vulnrichment

Updated: 2025-11-03T19:39:47.370Z

cve-icon NVD

Status : Modified

Published: 2025-04-01T16:15:25.830

Modified: 2026-04-02T09:16:17.997

Link: CVE-2025-21947

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-04-01T00:00:00Z

Links: CVE-2025-21947 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:30:18Z

Weaknesses