CVE-2025-22037 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix null pointer dereference in alloc_preauth_hash()

The Client send malformed smb2 negotiate request. ksmbd return error response. Subsequently, the client can send smb2 session setup even thought conn->preauth_info is not allocated. This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore session setup request if smb2 negotiate phase is not complete.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability identified as CVE-2025-22037 affects the Linux kernel's ksmbd implementation, which provides SMB2/SMB3 server functionality for Linux systems. This issue represents a null pointer dereference condition that occurs during the SMB2 negotiation process, specifically within the alloc_preauth_hash() function. The flaw arises from inadequate state validation in the SMB connection handling mechanism, creating a potential pathway for denial of service attacks against systems running ksmbd services.

The technical exploitation of this vulnerability begins with a client sending a malformed SMB2 negotiate request to the ksmbd server. When the server processes this malformed request, it returns an error response but fails to properly manage the connection state. This improper state management allows subsequent SMB2 session setup requests to be processed even when the connection's preauth_info structure has not been allocated. The root cause lies in the absence of proper connection state validation before processing session setup requests, creating a scenario where the system attempts to dereference a null pointer when accessing the preauth_info structure.

From an operational perspective, this vulnerability presents a significant risk to systems relying on ksmbd for SMB file sharing services. An attacker could exploit this condition to cause the ksmbd service to crash or become unresponsive, effectively denying legitimate users access to shared resources. The vulnerability specifically targets the authentication phase of SMB connections, making it particularly dangerous in environments where continuous availability of file sharing services is critical. The impact extends beyond simple service disruption to potentially compromise the stability of entire network infrastructure that depends on SMB protocols for file access and collaboration.

The fix implemented for CVE-2025-22037 introduces a KSMBD_SESS_NEED_SETUP status flag to properly track connection state throughout the SMB negotiation process. This status flag ensures that session setup requests are ignored when the SMB2 negotiation phase is incomplete, preventing the null pointer dereference condition. This approach aligns with security best practices for state machine implementation and follows the principle of least privilege by ensuring proper validation before processing sensitive operations. The mitigation strategy directly addresses the underlying cause rather than merely patching the symptom, reducing the risk of similar issues in related code paths.

This vulnerability maps to CWE-476 which describes null pointer dereference conditions, and demonstrates characteristics consistent with ATT&CK technique T1499.004 for network denial of service attacks. The implementation of proper state validation and connection lifecycle management in the patched code follows industry standards for secure programming practices, particularly those emphasizing defensive programming techniques. Organizations should prioritize applying this patch to systems running ksmbd services, as the vulnerability represents a straightforward exploitation vector that could lead to significant service disruption in enterprise environments relying on SMB file sharing infrastructure.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.23278

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!