CVE-2025-71153 Overview
A memory leak vulnerability has been identified in the Linux kernel's ksmbd (in-kernel SMB server) component, specifically within the get_file_all_info() function. When the vfs_getattr() function call fails, the error handling path returns immediately without properly freeing the allocated filename buffer, resulting in a memory leak condition.
Critical Impact
This memory leak vulnerability in the ksmbd SMB server component can lead to gradual memory exhaustion on affected Linux systems, potentially causing denial of service conditions for SMB file sharing services over time.
Affected Products
- Linux Kernel (ksmbd module)
- Linux systems with in-kernel SMB server enabled
- Enterprise Linux distributions using ksmbd for file sharing
Discovery Timeline
- January 23, 2026 - CVE-2025-71153 published to NVD
- January 26, 2026 - Last updated in NVD database
Technical Details for CVE-2025-71153
Vulnerability Analysis
The vulnerability exists in the ksmbd module's get_file_all_info() function, which is responsible for retrieving file information for SMB protocol operations. During normal operation, this function allocates memory for storing the filename. However, when the subsequent call to vfs_getattr() fails (which retrieves file attributes from the virtual file system), the function's error handling code returns immediately without freeing the previously allocated filename memory.
This improper resource management creates a classic memory leak scenario. Each time the error condition is triggered, a small amount of kernel memory becomes permanently unreclaimable until the system is rebooted. In environments with high SMB traffic or where vfs_getattr() failures occur frequently, this can lead to significant memory consumption over time.
Root Cause
The root cause is an incomplete error handling path in the get_file_all_info() function. When memory is allocated for the filename and a subsequent operation fails, the cleanup code must explicitly free all previously allocated resources before returning. In this case, the developer failed to add the necessary kfree() call for the filename buffer in the error path following the vfs_getattr() failure.
Attack Vector
The attack vector for this vulnerability is through SMB protocol interactions with the ksmbd server. An attacker with network access to an affected SMB server could potentially trigger repeated vfs_getattr() failures by:
- Requesting information about files in unusual states
- Exploiting race conditions during file operations
- Targeting files on storage backends that may return errors
Each failed request would leak a small amount of kernel memory, and sustained exploitation could eventually exhaust system memory resources, leading to denial of service.
The vulnerability mechanism involves the missing cleanup in the error path of the get_file_all_info() function. When vfs_getattr() fails after the filename has been allocated, the function returns an error code without first calling kfree() on the allocated filename buffer. The fix adds proper memory deallocation before the error return. For technical implementation details, refer to the kernel security commits.
Detection Methods for CVE-2025-71153
Indicators of Compromise
- Gradual increase in kernel memory usage on systems running ksmbd
- Memory allocation failures or OOM (Out of Memory) conditions in kernel logs
- Degraded SMB server performance over extended periods without restart
- Slab memory statistics showing increasing unreclaimable memory
Detection Strategies
- Monitor /proc/meminfo for unexplained growth in kernel memory consumption
- Track ksmbd-related memory allocations using kernel memory debugging tools
- Implement alerting on memory pressure indicators for systems running ksmbd
- Review system logs for vfs_getattr() failures correlated with memory growth
Monitoring Recommendations
- Enable kernel memory leak detection tools such as kmemleak during testing
- Set up automated monitoring for memory consumption trends on SMB servers
- Configure alerts for abnormal memory growth patterns in production environments
- Periodically review /proc/slabinfo for ksmbd-related allocations
How to Mitigate CVE-2025-71153
Immediate Actions Required
- Apply the latest kernel security patches that address CVE-2025-71153
- Schedule system restarts for affected servers to reclaim leaked memory
- Monitor memory usage closely on systems that cannot be immediately patched
- Consider temporarily disabling ksmbd in favor of userspace Samba if patching is delayed
Patch Information
The Linux kernel maintainers have released patches to fix this memory leak. The fix ensures that the allocated filename is properly freed before returning in the vfs_getattr() error case. Multiple kernel versions have been patched as documented in the kernel stable git commits:
Administrators should update to a kernel version containing these fixes as soon as possible.
Workarounds
- Implement scheduled restarts of affected systems to periodically reclaim leaked memory
- Use userspace Samba implementation instead of ksmbd until patches are applied
- Limit network access to ksmbd services to reduce potential attack surface
- Monitor and set memory limits to prevent complete system exhaustion
# Configuration example
# Check if ksmbd module is loaded
lsmod | grep ksmbd
# Monitor kernel memory usage
watch -n 60 'cat /proc/meminfo | grep -E "MemFree|Slab|SReclaimable|SUnreclaim"'
# If using ksmbd, consider switching to userspace samba temporarily
# Stop ksmbd service and start smbd instead
systemctl stop ksmbd
systemctl start smbd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
