CVE-2025-71220 Overview
CVE-2025-71220 is a vulnerability in the Linux kernel's KSMBD (Kernel SMB Server) component affecting the error handling path in the create_smb2_pipe() function. When the ksmbd_iov_pin_rsp() function fails, the code fails to properly call ksmbd_session_rpc_close(), resulting in improper resource cleanup that could lead to resource leaks or inconsistent system state.
Critical Impact
Missing error path cleanup in the Linux kernel's SMB server implementation could result in resource leaks and potential system instability when handling SMB2 pipe creation failures.
Affected Products
- Linux Kernel (KSMBD module)
- Linux systems with ksmbd SMB server enabled
Discovery Timeline
- 2026-02-14 - CVE CVE-2025-71220 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-71220
Vulnerability Analysis
This vulnerability exists within the Linux kernel's in-kernel SMB server implementation (KSMBD). The issue is classified as a resource management error where proper cleanup procedures are not followed when an error occurs during SMB2 pipe creation. Specifically, when the create_smb2_pipe() function encounters a failure in ksmbd_iov_pin_rsp(), the code path does not properly close the RPC session by calling ksmbd_session_rpc_close().
The KSMBD module provides native SMB3 server functionality directly in the Linux kernel, enabling high-performance file sharing. The vulnerability affects the IPC (Inter-Process Communication) pipe handling mechanism used for RPC communications over SMB.
Root Cause
The root cause is an incomplete error handling path in the create_smb2_pipe() function. When ksmbd_iov_pin_rsp() returns an error, the function exits without properly cleaning up the RPC session resources that were allocated earlier in the function. This results in orphaned RPC session objects that are not properly released.
The missing ksmbd_session_rpc_close() call on the error path means that any RPC session resources opened before the ksmbd_iov_pin_rsp() failure remain allocated, potentially causing memory leaks or resource exhaustion over time.
Attack Vector
The attack vector for this vulnerability is currently unknown. However, the vulnerability is triggered when an error condition occurs in ksmbd_iov_pin_rsp() during SMB2 pipe creation. An attacker with network access to a vulnerable KSMBD server could potentially trigger this condition by:
- Establishing an SMB session with the target server
- Initiating SMB2 pipe creation requests that cause ksmbd_iov_pin_rsp() to fail
- Repeatedly triggering this condition to cause resource exhaustion
The practical exploitability depends on the conditions under which ksmbd_iov_pin_rsp() can fail and whether an attacker can reliably trigger those conditions.
Detection Methods for CVE-2025-71220
Indicators of Compromise
- Unusual memory growth in kernel space associated with the KSMBD module
- Increasing number of orphaned RPC session objects
- System instability or performance degradation on systems running the KSMBD SMB server
Detection Strategies
- Monitor kernel memory usage patterns for gradual increases in KSMBD-related allocations
- Implement kernel tracing to detect repeated failures in ksmbd_iov_pin_rsp() function calls
- Review system logs for SMB server errors or warnings related to pipe creation failures
Monitoring Recommendations
- Enable ksmbd debug logging to capture detailed error information during SMB operations
- Implement memory leak detection tools to identify resource accumulation in kernel space
- Set up alerts for abnormal SMB connection patterns or repeated pipe creation failures
How to Mitigate CVE-2025-71220
Immediate Actions Required
- Apply the latest kernel patches that include the fix for this vulnerability
- Consider disabling KSMBD if not required for system operation
- Monitor systems for signs of resource exhaustion until patches can be applied
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that ksmbd_session_rpc_close() is properly called when ksmbd_iov_pin_rsp() fails in the create_smb2_pipe() function. Multiple stable kernel branches have received this fix:
- Kernel Git Commit Update 1
- Kernel Git Commit Update 2
- Kernel Git Commit Update 3
- Kernel Git Commit Update 4
- Kernel Git Commit Update 5
- Kernel Git Commit Update 6
Workarounds
- Disable the KSMBD kernel module if in-kernel SMB server functionality is not required: modprobe -r ksmbd
- Use Samba userspace SMB server as an alternative if SMB services are needed
- Implement network-level access controls to restrict SMB access to trusted clients only
- Consider firewall rules to limit exposure of SMB ports (445/TCP) to untrusted networks
# Disable ksmbd module
modprobe -r ksmbd
# Blacklist ksmbd to prevent automatic loading
echo "blacklist ksmbd" >> /etc/modprobe.d/blacklist.conf
# Verify module is not loaded
lsmod | grep ksmbd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
