Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71220

CVE-2025-71220: Linux Kernel Privilege Escalation Flaw

CVE-2025-71220 is a privilege escalation vulnerability in the Linux kernel's SMB server component that affects error handling in ksmbd. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-71220 Overview

CVE-2025-71220 is a vulnerability in the Linux kernel's KSMBD (Kernel SMB Server) component affecting the error handling path in the create_smb2_pipe() function. When the ksmbd_iov_pin_rsp() function fails, the code fails to properly call ksmbd_session_rpc_close(), resulting in improper resource cleanup that could lead to resource leaks or inconsistent system state.

Critical Impact

Missing error path cleanup in the Linux kernel's SMB server implementation could result in resource leaks and potential system instability when handling SMB2 pipe creation failures.

Affected Products

  • Linux Kernel (KSMBD module)
  • Linux systems with ksmbd SMB server enabled

Discovery Timeline

  • 2026-02-14 - CVE CVE-2025-71220 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2025-71220

Vulnerability Analysis

This vulnerability exists within the Linux kernel's in-kernel SMB server implementation (KSMBD). The issue is classified as a resource management error where proper cleanup procedures are not followed when an error occurs during SMB2 pipe creation. Specifically, when the create_smb2_pipe() function encounters a failure in ksmbd_iov_pin_rsp(), the code path does not properly close the RPC session by calling ksmbd_session_rpc_close().

The KSMBD module provides native SMB3 server functionality directly in the Linux kernel, enabling high-performance file sharing. The vulnerability affects the IPC (Inter-Process Communication) pipe handling mechanism used for RPC communications over SMB.

Root Cause

The root cause is an incomplete error handling path in the create_smb2_pipe() function. When ksmbd_iov_pin_rsp() returns an error, the function exits without properly cleaning up the RPC session resources that were allocated earlier in the function. This results in orphaned RPC session objects that are not properly released.

The missing ksmbd_session_rpc_close() call on the error path means that any RPC session resources opened before the ksmbd_iov_pin_rsp() failure remain allocated, potentially causing memory leaks or resource exhaustion over time.

Attack Vector

The attack vector for this vulnerability is currently unknown. However, the vulnerability is triggered when an error condition occurs in ksmbd_iov_pin_rsp() during SMB2 pipe creation. An attacker with network access to a vulnerable KSMBD server could potentially trigger this condition by:

  1. Establishing an SMB session with the target server
  2. Initiating SMB2 pipe creation requests that cause ksmbd_iov_pin_rsp() to fail
  3. Repeatedly triggering this condition to cause resource exhaustion

The practical exploitability depends on the conditions under which ksmbd_iov_pin_rsp() can fail and whether an attacker can reliably trigger those conditions.

Detection Methods for CVE-2025-71220

Indicators of Compromise

  • Unusual memory growth in kernel space associated with the KSMBD module
  • Increasing number of orphaned RPC session objects
  • System instability or performance degradation on systems running the KSMBD SMB server

Detection Strategies

  • Monitor kernel memory usage patterns for gradual increases in KSMBD-related allocations
  • Implement kernel tracing to detect repeated failures in ksmbd_iov_pin_rsp() function calls
  • Review system logs for SMB server errors or warnings related to pipe creation failures

Monitoring Recommendations

  • Enable ksmbd debug logging to capture detailed error information during SMB operations
  • Implement memory leak detection tools to identify resource accumulation in kernel space
  • Set up alerts for abnormal SMB connection patterns or repeated pipe creation failures

How to Mitigate CVE-2025-71220

Immediate Actions Required

  • Apply the latest kernel patches that include the fix for this vulnerability
  • Consider disabling KSMBD if not required for system operation
  • Monitor systems for signs of resource exhaustion until patches can be applied

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that ksmbd_session_rpc_close() is properly called when ksmbd_iov_pin_rsp() fails in the create_smb2_pipe() function. Multiple stable kernel branches have received this fix:

Workarounds

  • Disable the KSMBD kernel module if in-kernel SMB server functionality is not required: modprobe -r ksmbd
  • Use Samba userspace SMB server as an alternative if SMB services are needed
  • Implement network-level access controls to restrict SMB access to trusted clients only
  • Consider firewall rules to limit exposure of SMB ports (445/TCP) to untrusted networks
bash
# Disable ksmbd module
modprobe -r ksmbd

# Blacklist ksmbd to prevent automatic loading
echo "blacklist ksmbd" >> /etc/modprobe.d/blacklist.conf

# Verify module is not loaded
lsmod | grep ksmbd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.