CVE-2025-22040 - Vulnerability Details

- ksmbd: fix session use-after-free in multichannel connection

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix session use-after-free in multichannel connection

There is a race condition between session setup and
ksmbd_sessions_deregister. The session can be freed before the connection
is added to channel list of session.
This patch check reference count of session before freeing it.

Published: 2025-04-16

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the Linux kernel’s ksmbd component that allows a session to be freed before it is fully registered in the channel list. This results in a use‑after‑free situation, which can corrupt kernel memory. Though the description does not specify a concrete exploit, such memory corruption can enable an attacker to gain privileged access or cause a denial of service.

Affected Systems

The vulnerability affects the Linux kernel as used by Debian Linux 11.0 and by any Linux system running a kernel version that has not been patched for the ksmbd session use‑after‑free. The official references list commits that address the issue, indicating that only kernels prior to those patches are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity impact. The EPSS score of less than 1 % suggests that the likelihood of exploitation is low, and the vulnerability is not yet listed in CISA’s KEV catalog. The attack vector is inferred to be local or requires the ability to send specially crafted SMB requests to the affected server, enabling a race condition that results in the memory corruption described above.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 596407adb9af1ee75fe7c7529607783d31b66e7f
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 3980770cb1470054e6400fd97668665975726737
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 9069939d762138e232a6f79e3e1462682ed6a17d
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 94c281721d4ed2d972232414b91d98a6f5bdb16b
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 7dfbd4c43eed91dd2548a95236908025707a8dfd
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< fa4cdb8cbca7d6cb6aa13e4d8d83d1103f6345db

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.1.134`	unaffected	≤ 6.1.*
`6.6.87`	unaffected	≤ 6.6.*
`6.12.23`	unaffected	≤ 6.12.*
`6.13.11`	unaffected	≤ 6.13.*
`6.14.2`	unaffected	≤ 6.14.*
`6.15`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the ksmbd session use‑after‑free fix (see commit 3980770cb1 and related patches).
If an immediate kernel upgrade is not possible, disable or restrict SMB multichannel support on the server by configuring the SMB daemon or by using firewall rules to block SMB traffic from untrusted networks.
Continuously monitor for anomalous SMB activity and apply additional hardening such as restricting SMB to trusted hosts or using SELinux/AppArmor profiles to limit kernel access.

Generated by OpenCVE AI on April 28, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4193-1	linux-6.1 security update
Debian DSA	DSA-5907-1	linux security update
EUVD	EUVD-2025-11248	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it.
Ubuntu USN	USN-7594-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7594-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7594-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7605-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7605-2	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-7606-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-7628-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7835-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7835-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7835-3	Linux kernel vulnerabilities
Ubuntu USN	USN-7835-4	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-7835-5	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-7835-6	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7887-1	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-7887-2	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7940-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7940-2	Linux kernel (Azure, N-Series) vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00182.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://git.kernel.org/stable/c/3980770cb1470054e6400fd97668665975726737
https://git.kernel.org/stable/c/596407adb9af1ee75fe7c7529607783d31b66e7f
https://git.kernel.org/stable/c/7dfbd4c43eed91dd2548a95236908025707a8dfd
https://git.kernel.org/stable/c/9069939d762138e232a6f79e3e1462682ed6a17d
https://git.kernel.org/stable/c/94c281721d4ed2d972232414b91d98a6f5bdb16b
https://git.kernel.org/stable/c/fa4cdb8cbca7d6cb6aa13e4d8d83d1103f6345db
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
https://lore.kernel.org/linux-cve-announce/2025041659-CVE-2025-22040-27ed@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-22040
https://www.cve.org/CVERecord?id=CVE-2025-22040

History

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux
CPEs		cpe:2.3:o:debian:debian_linux:11.0:::::::*
Vendors & Products		Debian Debian debian Linux

Thu, 02 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

Fri, 25 Apr 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel

Mon, 21 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 21 Apr 2025 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 18 Apr 2025 02:45:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025041659-CVE-2025-22040-27ed@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-22040 https://www.cve.org/CVERecord?id=CVE-2025-22040
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 16 Apr 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it.
Title		ksmbd: fix session use-after-free in multichannel connection
References		https://git.kernel.org/stable/c/3980770cb1470054e6400fd97668665975726737 https://git.kernel.org/stable/c/596407adb9af1ee75fe7c7529607783d31b66e7f https://git.kernel.org/stable/c/7dfbd4c43eed91dd2548a95236908025707a8dfd https://git.kernel.org/stable/c/9069939d762138e232a6f79e3e1462682ed6a17d https://git.kernel.org/stable/c/94c281721d4ed2d972232414b91d98a6f5bdb16b https://git.kernel.org/stable/c/fa4cdb8cbca7d6cb6aa13e4d8d83d1103f6345db

Subscriptions

Debian Debian Linux

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-04-16T14:11:57.601Z

Updated: 2026-05-11T21:11:28.647Z

Reserved: 2024-12-29T08:45:45.809Z

Link: CVE-2025-22040

Vulnrichment

Updated: 2025-11-03T19:41:21.699Z

NVD

Status : Analyzed

Published: 2025-04-16T15:15:56.590

Modified: 2026-04-06T14:29:37.367

Link: CVE-2025-22040

Redhat

Severity : Low

Publid Date: 2025-04-16T00:00:00Z

Links: CVE-2025-22040 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T02:30:18Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object