CVE-2025-71150 Overview
A reference count leak vulnerability has been identified in the Linux kernel's ksmbd (Kernel SMB Daemon) component. The vulnerability occurs during session lookup operations when an invalid session is found. When a session is discovered but its state is not SMB2_SESSION_VALID, the code fails to properly decrement the reference count that was acquired during the session lookup process, resulting in a memory leak condition.
Critical Impact
This reference count leak can lead to resource exhaustion over time, potentially causing denial of service conditions on affected systems running ksmbd for SMB file sharing services.
Affected Products
- Linux kernel with ksmbd (Kernel SMB Daemon) enabled
- Systems using ksmbd for SMB3 file sharing services
Discovery Timeline
- 2026-01-23 - CVE CVE-2025-71150 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-71150
Vulnerability Analysis
The vulnerability resides in the ksmbd session management code within the Linux kernel. ksmbd is the in-kernel SMB3 server implementation that provides high-performance file sharing capabilities. During normal operation, when client sessions are looked up, the kernel increments a reference counter to track the session object's usage.
The flaw manifests when a session lookup operation successfully finds a session object, but that session's state is not SMB2_SESSION_VALID (indicating an invalid or expired session). In this scenario, the code path correctly identifies that no valid session was found, but critically fails to call the reference count decrement function. Each occurrence of this condition leaves an orphaned reference, causing memory to remain allocated indefinitely.
Root Cause
The root cause is a missing call to ksmbd_user_session_put() in the error handling path when an invalid session state is detected during session lookup. Reference counting is a fundamental kernel memory management technique, and failure to properly balance increments and decrements leads to memory leaks that accumulate over the lifetime of the system.
Attack Vector
The vulnerability can be triggered through SMB session operations where invalid or expired sessions are encountered during lookup. While the attack vector specifics depend on the system configuration, repeated triggering of this condition could lead to memory exhaustion on systems running ksmbd. The patch addresses this by explicitly calling ksmbd_user_session_put() to release the reference to the session when an invalid state is detected.
Detection Methods for CVE-2025-71150
Indicators of Compromise
- Unexplained memory growth on systems running ksmbd services
- Increasing kernel memory usage without corresponding workload increase
- System performance degradation over time on SMB file servers
- Kernel slab allocator showing growing session-related object counts
Detection Strategies
- Monitor kernel memory allocation patterns for ksmbd-related structures
- Implement memory usage alerts for systems running in-kernel SMB services
- Review kernel logs for ksmbd session management errors
- Use kernel memory debugging tools to track reference count anomalies
Monitoring Recommendations
- Enable kernel memory leak detection mechanisms on affected systems
- Monitor /proc/meminfo and /proc/slabinfo for unusual memory patterns
- Configure alerts for memory thresholds on ksmbd-enabled servers
- Implement periodic restarts of ksmbd services as a temporary mitigation measure
How to Mitigate CVE-2025-71150
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Review systems running ksmbd for signs of memory exhaustion
- Consider disabling ksmbd and using user-space Samba if patching is not immediately possible
- Monitor affected systems closely until patches can be applied
Patch Information
Multiple kernel patches have been released to address this vulnerability. The fix explicitly adds a call to ksmbd_user_session_put() to properly release the reference when an invalid session state is detected during lookup. Patches are available through the following kernel commits:
- Kernel Commit 02e06785
- Kernel Commit 0fb87b28
- Kernel Commit 8cabcb4d
- Kernel Commit cafb57f7
- Kernel Commit e54fb2a4
Workarounds
- Disable ksmbd module if SMB services are not required: modprobe -r ksmbd
- Switch to user-space Samba implementation as an alternative to in-kernel ksmbd
- Implement scheduled system reboots to clear accumulated leaked memory
- Limit SMB session activity on affected systems until patching is complete
# Disable ksmbd module if not required
modprobe -r ksmbd
# Verify ksmbd module is not loaded
lsmod | grep ksmbd
# Block ksmbd from loading at boot
echo "blacklist ksmbd" >> /etc/modprobe.d/blacklist-ksmbd.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
