CVE-2025-37924 - Vulnerability Details

- ksmbd: fix use-after-free in kerberos authentication

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in kerberos authentication

Setting sess->user = NULL was introduced to fix the dangling pointer
created by ksmbd_free_user. However, it is possible another thread could
be operating on the session and make use of sess->user after it has been
passed to ksmbd_free_user but before sess->user is set to NULL.

Published: 2025-05-20

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel’s ksmbd Samba service, a use‑after‑free flaw is introduced during Kerberos authentication. After a user session is freed, another concurrent thread may still dereference the previously freed sess->user pointer, leading to memory corruption that could be manipulated to run arbitrary code. The vulnerability is categorized under CWE‑416, indicating a classic use‑after‑free scenario.

Affected Systems

The flaw affects Linux kernels that include the ksmbd service, notably versions 6.15 release candidates 1 through 4 and all builds based on the 6.15 series. Debian snapshot 11.0 kernels are also impacted as they package the 6.15 code. Any distribution that ships an unpatched copy of the kernel is vulnerable.

Risk and Exploitability

The CVSS score is 9.8, reflecting a high severity and a high likelihood of exploitation. EPSS is reported as < 1 %, meaning the overall probability of an observed exploit is currently very low, though the flaw remains exfiltration‐ready. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation would require a concurrent thread accessing the freed memory, suggesting that a privileged or remote attacker could trigger the flaw by interacting with the SMB service, potentially giving them complete control of the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< e34a33d5d7e87399af0a138bb32f6a3e95dd83d2
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< b447463562238428503cfba1c913261047772f90
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< e18c616718018dfc440e4a2d2b94e28fe91b1861
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< 28c756738af44a404a91b77830d017bb0c525890
`0626e6641f6b467447c81dd7678a69c66f7746cf`	affected	< e86e9134e1d1c90a960dd57f59ce574d27b9a124

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.1.138`	unaffected	≤ 6.1.*
`6.6.90`	unaffected	≤ 6.6.*
`6.12.28`	unaffected	≤ 6.12.*
`6.14.6`	unaffected	≤ 6.14.*
`6.15`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc4::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Linux	Linux Kernel	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a patched release that includes the correction (e.g., kernel 6.15 rc5 or later stable releases).
If immediate kernel upgrading is not feasible, disable Kerberos authentication in ksmbd or stop the SMB service entirely until the patch is applied.
Apply any distribution‑specific security updates—such as Debian security advisories for kernel 6.15—ensuring the fix is installed and active.

Generated by OpenCVE AI on April 28, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4271-1	linux-6.1 security update
Debian DSA	DSA-5925-1	linux security update
EUVD	EUVD-2025-15921	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authentication Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL.
Ubuntu USN	USN-7649-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7649-2	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7650-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-7665-1	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-7665-2	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7721-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8028-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8028-2	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8031-1	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8028-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8028-4	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8028-5	Linux kernel vulnerabilities
Ubuntu USN	USN-8031-2	Linux kernel (GCP FIPS) vulnerabilities
Ubuntu USN	USN-8028-6	Linux kernel (HWE) vulnerabilities
Ubuntu USN	USN-8031-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8052-1	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-8028-7	Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN	USN-8028-8	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-8052-2	Linux kernel (Xilinx) vulnerabilities
Ubuntu USN	USN-8074-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8074-2	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8126-1	Linux kernel (Azure) vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00266.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/28c756738af44a404a91b77830d017bb0c525890
https://git.kernel.org/stable/c/b447463562238428503cfba1c913261047772f90
https://git.kernel.org/stable/c/e18c616718018dfc440e4a2d2b94e28fe91b1861
https://git.kernel.org/stable/c/e34a33d5d7e87399af0a138bb32f6a3e95dd83d2
https://git.kernel.org/stable/c/e86e9134e1d1c90a960dd57f59ce574d27b9a124
https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
https://lore.kernel.org/linux-cve-announce/2025052004-CVE-2025-37924-ec7d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-37924
https://www.cve.org/CVERecord?id=CVE-2025-37924

History

Thu, 02 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 10 Nov 2025 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux
Weaknesses		CWE-416
CPEs		cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.15:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc4::::::
Vendors & Products		Debian Debian debian Linux
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00164}`	epss `{'score': 0.00136}`

Thu, 22 May 2025 02:45:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025052004-CVE-2025-37924-ec7d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-37924 https://www.cve.org/CVERecord?id=CVE-2025-37924
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Tue, 20 May 2025 15:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authentication Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but before sess->user is set to NULL.
Title		ksmbd: fix use-after-free in kerberos authentication
References		https://git.kernel.org/stable/c/28c756738af44a404a91b77830d017bb0c525890 https://git.kernel.org/stable/c/b447463562238428503cfba1c913261047772f90 https://git.kernel.org/stable/c/e18c616718018dfc440e4a2d2b94e28fe91b1861 https://git.kernel.org/stable/c/e34a33d5d7e87399af0a138bb32f6a3e95dd83d2 https://git.kernel.org/stable/c/e86e9134e1d1c90a960dd57f59ce574d27b9a124

Subscriptions

Debian Debian Linux

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-05-20T15:21:52.681Z

Updated: 2026-05-11T21:17:44.553Z

Reserved: 2025-04-16T04:51:23.969Z

Link: CVE-2025-37924

Vulnrichment

No data.

NVD

Status : Modified

Published: 2025-05-20T16:15:29.037

Modified: 2026-04-02T09:16:18.963

Link: CVE-2025-37924

Redhat

Severity : Low

Publid Date: 2025-05-20T00:00:00Z

Links: CVE-2025-37924 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T01:45:18Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object