CVE-2025-21955 in Linuxinfo

Summary

by MITRE • 04/01/2025

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: prevent connection release during oplock break notification

ksmbd_work could be freed when after connection release. Increment r_count of ksmbd_conn to indicate that requests are not finished yet and to not release the connection.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/01/2026

The vulnerability identified as CVE-2025-21955 resides within the linux kernel's ksmbd subsystem which provides smb2/smb3 server functionality for linux systems. This issue represents a race condition that can lead to improper memory management during the operation of smb connections. The ksmbd component serves as a server implementation that allows linux systems to function as smb servers, facilitating file sharing and other network services through the server message block protocol. The vulnerability specifically targets the interaction between connection management and operation lock break notifications, creating a scenario where critical data structures may be prematurely freed while still in use.

The technical flaw manifests when a ksmbd_work structure is being processed in the context of an operation lock break notification, yet the underlying connection associated with that work is concurrently being released. This race condition occurs because the connection release process does not properly account for active operations that may still be processing or pending completion. The ksmbd_conn structure maintains a reference count through the r_count field that should prevent connection release while active requests are pending. However, the timing issue allows the connection to be released and freed before all associated work items have completed their processing, leading to potential use-after-free conditions and system instability.

The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable arbitrary code execution or denial of service conditions within systems running affected kernel versions. When the ksmbd_work structure is freed prematurely, any subsequent operations attempting to reference this memory location could cause kernel panics, system crashes, or unpredictable behavior. This vulnerability particularly affects systems that rely heavily on smb file sharing services, especially those serving multiple concurrent clients where operation lock breaks are frequent. Attackers could exploit this condition by establishing smb connections and triggering operation lock break scenarios while simultaneously forcing connection release operations, creating a window where the race condition can be reliably reproduced.

The mitigation strategy involves implementing proper reference counting mechanisms to ensure that connection resources remain allocated until all pending operations have completed processing. The fix requires incrementing the r_count field of the ksmbd_conn structure when operation lock break notifications are being processed, preventing the connection from being released while active work items are still pending. This approach aligns with standard practices for managing shared resources in concurrent systems and follows the principles outlined in the common weakness enumeration framework where CWE-362 represents the race condition vulnerability. Organizations should prioritize applying kernel updates that contain this fix and monitor systems for any unusual behavior that might indicate exploitation attempts. The fix demonstrates adherence to secure coding practices and proper resource management techniques that prevent the types of memory safety issues commonly addressed in the attack technique catalog under the category of memory corruption vulnerabilities. System administrators should also consider implementing network segmentation and access controls to limit exposure while awaiting patch deployment, particularly in environments where smb services are extensively utilized.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00189

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!