CVE-2025-71223 Overview
A reference count leak vulnerability has been identified in the Linux kernel's SMB server implementation (ksmbd). The vulnerability exists in the smb2_open() function where a failure in ksmbd_vfs_getattr() does not properly release the reference count of ksmbd_file, leading to a memory leak condition.
Critical Impact
This memory leak vulnerability in the Linux kernel SMB server can lead to resource exhaustion and potential denial of service conditions on affected systems running ksmbd.
Affected Products
- Linux kernel with ksmbd (kernel SMB server) enabled
- Systems using in-kernel SMB file sharing functionality
- Server deployments utilizing ksmbd for Windows file sharing compatibility
Discovery Timeline
- 2026-02-14 - CVE CVE-2025-71223 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-71223
Vulnerability Analysis
The vulnerability resides in the smb2_open() function within the ksmbd (kernel SMB server) subsystem of the Linux kernel. When processing SMB2 open requests, the function allocates and initializes a ksmbd_file structure, incrementing its reference count. However, when a subsequent call to ksmbd_vfs_getattr() fails, the error handling path does not properly decrement this reference count before returning.
This creates a reference count leak where the ksmbd_file object is never properly freed, even though the open operation has failed. Over time, repeated failed operations can accumulate leaked references, consuming kernel memory that cannot be reclaimed.
Root Cause
The root cause is improper reference count management in the error handling path of smb2_open(). The function acquires a reference to a ksmbd_file object early in its execution but fails to release this reference when ksmbd_vfs_getattr() returns an error. This violates the kernel's reference counting discipline, which requires that every acquired reference must be explicitly released on all code paths, including error paths.
Attack Vector
The vulnerability can be triggered through SMB2 protocol interactions with a ksmbd server. An attacker with network access to an SMB share served by ksmbd could potentially craft requests that cause ksmbd_vfs_getattr() to fail repeatedly, gradually exhausting kernel memory through accumulated reference leaks. This could lead to denial of service conditions on the affected server.
The exploitation does not require authentication if anonymous access is permitted, though in most configurations, SMB authentication would be required before reaching the vulnerable code path.
Detection Methods for CVE-2025-71223
Indicators of Compromise
- Gradual increase in kernel memory usage on systems running ksmbd
- SMB server performance degradation over time without corresponding increase in legitimate workload
- Kernel memory allocation failures or out-of-memory conditions on SMB servers
- Unusual patterns of failed SMB2 open operations in server logs
Detection Strategies
- Monitor kernel memory utilization trends on systems running ksmbd SMB server functionality
- Implement alerting on increasing slab memory consumption, particularly in ksmbd-related caches
- Review SMB server logs for patterns of repeated failed open operations from specific sources
- Use kernel tracing tools to monitor reference count operations in ksmbd module
Monitoring Recommendations
- Deploy memory monitoring on all systems with ksmbd enabled to detect gradual resource exhaustion
- Implement network monitoring for anomalous SMB traffic patterns that could indicate exploitation attempts
- Configure automated alerts when kernel memory usage exceeds baseline thresholds
- Regularly review system logs for ksmbd-related error messages indicating getattr failures
How to Mitigate CVE-2025-71223
Immediate Actions Required
- Apply the latest kernel patches that address the reference count leak in smb2_open()
- Consider temporarily disabling ksmbd if not actively required until patches are applied
- Implement network access controls to limit SMB access to trusted hosts only
- Monitor affected systems for signs of memory exhaustion while awaiting patch deployment
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that the reference count of ksmbd_file is properly released when ksmbd_vfs_getattr() fails. Multiple stable kernel branches have received this fix:
- Kernel Git Commit 2456fde
- Kernel Git Commit 39ca11f
- Kernel Git Commit 4665e52
- Kernel Git Commit f416c55
Update to a kernel version containing one of these commits to remediate the vulnerability.
Workarounds
- Disable ksmbd module if SMB server functionality is not required (modprobe -r ksmbd)
- Use Samba userspace implementation instead of ksmbd for SMB file sharing
- Implement firewall rules to restrict SMB access to trusted networks and hosts
- Schedule regular system restarts to clear accumulated leaked memory as a temporary measure
# Disable ksmbd module if not required
sudo modprobe -r ksmbd
# Verify ksmbd is not loaded
lsmod | grep ksmbd
# Block external SMB access via firewall (example using iptables)
sudo iptables -A INPUT -p tcp --dport 445 -s ! 10.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
