CVE-2025-21994 Overview
CVE-2025-21994 is an input validation vulnerability in the Linux kernel's ksmbd (kernel SMB server daemon) component. The vulnerability exists in the parse_dcal() function which performs incorrect validation of the num_aces field within the SMB Access Control List (ACL) structure. The flawed validation logic incorrectly checks if num_aces > ULONG_MAX / sizeof(struct smb_ace *), which would theoretically allow creation of arrays approaching ULONG_MAX in size—an impossibly large allocation that could lead to memory corruption or denial of service conditions.
Critical Impact
A local attacker with low privileges could exploit this improper input validation in the ksmbd SMB server component to cause a denial of service condition, potentially crashing affected Linux systems running the kernel SMB server.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.14 release candidates (rc1 through rc5)
- Systems running ksmbd (kernel SMB server daemon)
Discovery Timeline
- April 2, 2025 - CVE-2025-21994 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21994
Vulnerability Analysis
The vulnerability resides in the parse_dcal() function within the ksmbd module, which is responsible for parsing Discretionary Access Control Lists (DACLs) from SMB protocol messages. When processing incoming SMB ACL data, the function extracts the num_aces field to determine how many Access Control Entries (ACEs) need to be allocated in the posix_ace_state_array.
The original validation logic was fundamentally flawed. The check if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) was intended to prevent integer overflow during memory allocation calculations. However, this validation is mathematically incorrect because it implies the system could legitimately allocate arrays approaching ULONG_MAX bytes in size, which is not practically possible on any system.
The exploitation requires local access and the ksmbd service to be running. An attacker could craft malicious SMB packets with manipulated num_aces values that pass the flawed validation but cause memory allocation failures, resource exhaustion, or other denial of service conditions when the kernel attempts to process the oversized allocation request.
Root Cause
The root cause is an improper input validation vulnerability in the boundary checking logic for the num_aces field. The SMB ACL structure (smb_acl) contains a size field that specifies the actual size of the ACL data in the request buffer. The fix corrects the validation by using the size field to calculate and verify the actual number of ACEs present in the request buffer, ensuring that num_aces cannot exceed the legitimate bounds defined by the actual request data size.
Attack Vector
This vulnerability requires local access to the system with low privileges. The attack vector involves sending specially crafted SMB protocol messages to the ksmbd service with manipulated ACL data containing an invalid num_aces value. Since ksmbd operates in kernel space, successful exploitation could cause kernel memory allocation issues leading to system instability or denial of service.
The vulnerability is triggered when:
- The ksmbd service is active and processing SMB connections
- An attacker sends a malformed SMB message containing a DACL structure
- The parse_dcal() function processes the malicious ACL data with an excessive num_aces value
- The flawed validation allows the invalid value to pass, leading to problematic memory operations
Detection Methods for CVE-2025-21994
Indicators of Compromise
- Kernel panic or oops messages referencing ksmbd or parse_dcal function
- Unusual memory allocation failures in kernel logs related to SMB processing
- System instability when SMB file sharing is actively used
- Unexplained crashes or freezes on systems running the kernel SMB server
Detection Strategies
- Monitor kernel logs (dmesg) for ksmbd-related errors or warnings
- Implement system monitoring for unexpected kernel crashes or memory pressure events
- Deploy intrusion detection rules to identify anomalous SMB traffic patterns
- Use kernel tracing tools to monitor ksmbd function calls for suspicious activity
Monitoring Recommendations
- Enable audit logging for ksmbd service activity and SMB connections
- Configure alerting for kernel OOM (Out of Memory) killer events affecting ksmbd
- Monitor system resource utilization for unexpected memory consumption spikes
- Review SMB share access logs for unusual connection patterns or malformed requests
How to Mitigate CVE-2025-21994
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix commits
- If updating is not immediately possible, consider disabling ksmbd if not required for operations
- Restrict local access to systems running ksmbd to trusted users only
- Monitor affected systems for signs of exploitation attempts
Patch Information
Multiple kernel patches have been released to address this vulnerability. The fix modifies the validation logic in parse_dcal() to use the smb_acl->size field for calculating the actual number of ACEs present in the request buffer, preventing invalid num_aces values from being accepted.
Available kernel patches:
- Kernel Patch 1b8b67f
- Kernel Patch 9c4e202
- Kernel Patch a4cb177
- Kernel Patch c3a3484
- Kernel Patch d0f8737
- Kernel Patch f6a6721
Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Disable ksmbd service if SMB file sharing via kernel space is not required
- Use Samba userspace SMB implementation as an alternative to ksmbd
- Implement network segmentation to limit access to SMB services
- Apply principle of least privilege to restrict local user access on affected systems
# Disable ksmbd service if not needed
sudo systemctl stop ksmbd
sudo systemctl disable ksmbd
# Check if ksmbd module is loaded
lsmod | grep ksmbd
# Unload ksmbd module if loaded and not in use
sudo modprobe -r ksmbd
# Blacklist ksmbd module to prevent automatic loading
echo "blacklist ksmbd" | sudo tee /etc/modprobe.d/blacklist-ksmbd.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
