CVE-2025-68806 Overview
CVE-2025-68806 is a buffer validation flaw in the Linux kernel's ksmbd in-kernel SMB3 server. The vulnerability resides in the smb2_set_ea function, which handles Extended Attributes (EA) on SMB shares. The buffer validation logic omitted the size of the null terminator byte when verifying the EaNameLength field, causing the kernel to misjudge the total required buffer size for incoming EA requests. The issue has been resolved upstream through multiple stable kernel commits.
Critical Impact
A remote attacker authenticated to a ksmbd share could craft a malformed SMB2 SET_INFO request whose EA name length bypasses the size check, leading to potential out-of-bounds memory access in the SMB server kernel module.
Affected Products
- Linux kernel ksmbd SMB3 server module
- Multiple stable Linux kernel branches that backport the ksmbd EA handler
- Distributions shipping kernels with ksmbd enabled and exposed via SMB
Discovery Timeline
- 2026-01-13 - CVE-2025-68806 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-68806
Vulnerability Analysis
The defect lives in fs/smb/server/smb2pdu.c within the smb2_set_ea function. This function parses FILE_FULL_EA_INFORMATION structures supplied by SMB2 clients to set Extended Attributes on files. Each EA entry includes an EaNameLength field followed by an EaValueLength field, with the name stored as a null-terminated string.
The original validation compared the declared EaNameLength and EaValueLength against the available buffer size, but it failed to account for the mandatory null terminator that must follow the EA name. As a result, the function could accept an EA structure where the null terminator falls one byte beyond the end of the supplied buffer, leading the kernel to read memory outside the validated region [CWE-125].
Root Cause
The root cause is an off-by-one error in length validation. The patch corrects the check by explicitly adding + 1 to EaNameLength everywhere the null terminator is expected, ensuring the validation matches the structure layout actually parsed by ksmbd. Without this correction, the buffer accounting permits a one-byte over-read into adjacent kernel memory.
Attack Vector
An attacker requires network reachability to a ksmbd share and the ability to issue SMB2 SET_INFO requests carrying Extended Attribute data. By submitting an EA request where EaNameLength is set precisely to the buffer boundary, the attacker triggers the kernel to dereference one byte past the validated allocation. The condition can be used to probe adjacent kernel memory contents or destabilize the SMB server thread. The fix is distributed across the following stable kernel commits: Linux Kernel Commit 6dc8cf6e, Linux Kernel Commit 95d7a890, Linux Kernel Commit a28a375a, Linux Kernel Commit cae52c59, and Linux Kernel Commit d26af6d1.
No public proof-of-concept exploit code is associated with this CVE. The vulnerability is described in prose by upstream maintainers in the referenced commit messages.
Detection Methods for CVE-2025-68806
Indicators of Compromise
- Unexpected ksmbd kernel oops, KASAN slab-out-of-bounds reports, or general protection faults referencing smb2_set_ea in dmesg or journalctl -k
- Crashes or restarts of the ksmbd.mountd user-space helper following SMB2 SET_INFO traffic
- Unusual SMB2 SET_INFO requests carrying FILE_FULL_EA_INFORMATION from unexpected clients
Detection Strategies
- Inspect kernel ring buffer messages for stack traces that include smb2_set_ea, smb2_set_info_file, or ksmbd_vfs_setxattr
- Enable KASAN on test kernels to surface out-of-bounds reads in the SMB EA parsing path during fuzzing or regression runs
- Correlate SMB2 SET_INFO request rates with kernel exception counters to spot brute-force probing
Monitoring Recommendations
- Forward kernel logs and SMB audit events into a centralized analytics platform for correlation across hosts
- Track the running kernel version on every Linux host exposing ksmbd and flag versions earlier than the fixed stable releases
- Alert on any external network 445/TCP exposure of ksmbd-enabled hosts that should only serve internal clients
How to Mitigate CVE-2025-68806
Immediate Actions Required
- Update affected Linux systems to a stable kernel build that includes one of the fix commits referenced above
- Disable the ksmbd kernel module on hosts that do not require an in-kernel SMB3 server: modprobe -r ksmbd
- Restrict TCP/445 exposure to trusted management networks until patched kernels are deployed
- Require SMB authentication and disable guest access on any ksmbd share that must remain online
Patch Information
The fix adds + 1 to EaNameLength in every buffer-size check inside smb2_set_ea, aligning validation with the null-terminated layout that the parser expects. Backports are available across multiple stable branches via commits 6dc8cf6e, 95d7a890, a28a375a, cae52c59, and d26af6d1. Apply the kernel update provided by your distribution vendor or rebuild from the corresponding stable tag.
Workarounds
- Unload the ksmbd module and switch SMB workloads to a user-space implementation such as Samba where operationally feasible
- Block inbound SMB traffic at the host firewall using nftables or iptables rules limiting source addresses
- Remove EA-dependent shares or set vfs objects configurations that reject Extended Attribute operations on exposed shares
# Configuration example: disable ksmbd until the kernel is patched
sudo systemctl stop ksmbd.service
sudo systemctl disable ksmbd.service
sudo modprobe -r ksmbd
echo 'blacklist ksmbd' | sudo tee /etc/modprobe.d/blacklist-ksmbd.conf
# Restrict SMB to trusted management subnet only
sudo nft add rule inet filter input tcp dport 445 ip saddr != 10.0.0.0/24 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

