CVE-2024-58087 Overview
CVE-2024-58087 is a race condition vulnerability in the Linux kernel's ksmbd in-kernel SMB3 server. The flaw exists in the session lookup logic, where the session reference count was incremented outside of the protective lock. This created a timing window where a session could expire concurrently with a lookup operation, leading to inconsistent state on the session object [CWE-667 - Improper Locking].
The issue affects Linux kernel versions including 6.13-rc1 and 6.13-rc2 release candidates. The vulnerability is exploitable over the network without authentication, but requires high attack complexity due to the precise timing needed to win the race. Successful exploitation can impact confidentiality, integrity, and availability of the target system.
Critical Impact
Network-adjacent attackers can trigger a race between ksmbd session lookup and session expiration, potentially leading to memory corruption or denial of service on systems exposing the ksmbd SMB server.
Affected Products
- Linux Kernel (multiple stable branches prior to fix)
- Linux Kernel 6.13-rc1
- Linux Kernel 6.13-rc2
Discovery Timeline
- 2025-03-12 - CVE-2024-58087 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-58087
Vulnerability Analysis
The vulnerability resides in the ksmbd kernel module, which implements an SMB3 file server in the Linux kernel. ksmbd maintains a table of active client sessions and uses reference counting to manage session lifetimes. Multiple kernel threads can perform session lookups concurrently while a separate expiration path tears down stale sessions.
In the pre-patch code, the lookup routine acquired a lock to find the matching session structure, released the lock, and then incremented the session reference count. During the window between unlock and refcount increment, the session expiration handler could observe a zero refcount and proceed to free the session. The lookup thread then operated on memory that had been released, producing classic use-after-free conditions.
The upstream fix moves the reference count increment inside the lock held during lookup. This ensures expire logic cannot remove the session between the lookup match and the refcount bump.
Root Cause
The root cause is improper locking around reference counting [CWE-667]. The session reference count was treated as independent of the lookup lock, breaking the invariant that a successful lookup must atomically pin the returned object. Any concurrent code path checking the refcount could race with consumers that had not yet acquired their reference.
Attack Vector
Exploitation requires a remote attacker to reach the SMB service exposed by ksmbd over the network. The attacker must drive concurrent SMB session establishment, lookup, and expiration operations to land the race window. No prior authentication is required because session lookup occurs during the SMB negotiation and authentication flow. Successful timing yields use-after-free against the freed session object, which can be leveraged for kernel memory corruption, information disclosure, or denial of service.
No verified public proof-of-concept code is available. See the Zero Day Initiative Advisory ZDI-25-100 and the upstream kernel commits for technical details.
Detection Methods for CVE-2024-58087
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing ksmbd_session, ksmbd_session_lookup, or ksmbd_expire_session functions in dmesg and /var/log/kern.log.
- KASAN reports indicating use-after-free in the ksmbd module on kernels built with sanitizers enabled.
- Sudden termination or restart of the ksmbd.mountd userspace helper alongside kernel stack traces.
Detection Strategies
- Monitor for repeated, rapid SMB session establishment and teardown patterns from a single source against ksmbd hosts, which can indicate race-window probing.
- Inspect kernel ring buffer logs for BUG:, WARNING:, or general protection fault entries originating in fs/smb/server/.
- Correlate network telemetry showing concurrent SMB connections from the same client with subsequent kernel instability events.
Monitoring Recommendations
- Forward kernel logs to a centralized logging system and alert on oops or panic strings tied to ksmbd.
- Track the running kernel version across the fleet and flag hosts still running pre-patch builds with ksmbd enabled.
- Audit which hosts expose TCP port 445 externally and reduce exposure where ksmbd is in use.
How to Mitigate CVE-2024-58087
Immediate Actions Required
- Update the Linux kernel to a version containing the fix from your distribution vendor. Reference the upstream commits below to confirm backport inclusion.
- Restrict network access to TCP port 445 on ksmbd hosts using host or perimeter firewalls until patches are applied.
- Disable the ksmbd module on systems that do not require it by unloading with modprobe -r ksmbd and blacklisting the module.
Patch Information
The vulnerability is resolved by moving the session reference count increment inside the lookup lock. The fix is present in the upstream kernel via the following commits: 2107ab40629a, 37a0e2b362b3, 450a844c045f, a39e31e22a53, and b95629435b84. Additional context is available in the Zero Day Initiative Advisory.
Workarounds
- Unload and blacklist the ksmbd kernel module where SMB server functionality is not required on the host.
- Replace ksmbd with userspace Samba (smbd) until the kernel is patched, since this vulnerability is specific to the in-kernel server.
- Limit SMB exposure to trusted management VLANs and authenticated clients only, reducing the population of network actors able to drive the race.
# Disable and blacklist the ksmbd module until patched
sudo systemctl stop ksmbd
sudo modprobe -r ksmbd
echo 'blacklist ksmbd' | sudo tee /etc/modprobe.d/blacklist-ksmbd.conf
# Verify the running kernel version after update
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
