CVE-2025-22041 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in ksmbd_sessions_deregister()

In multichannel mode, UAF issue can occur in session_deregister when the second channel sets up a session through the connection of the first channel. session that is freed through the global session table can be accessed again through ->sessions of connection.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability CVE-2025-22041 represents a critical use-after-free condition within the Linux kernel's ksmbd implementation that specifically affects SMB/CIFS server functionality. This issue manifests in multichannel SMB configurations where multiple network connections are established to the same SMB session, creating a complex interaction pattern that leads to memory safety violations. The ksmbd subsystem serves as a kernel module that provides SMB/CIFS server capabilities, enabling Linux systems to function as file servers for Windows clients using the SMB protocol.

The technical flaw occurs during the session deregistration process when the ksmbd_sessions_deregister() function fails to properly handle reference counting in multichannel scenarios. When a second channel establishes a session using the connection from the first channel, the system attempts to free a session structure from the global session table while simultaneously allowing access to that same structure through the connection's sessions pointer. This creates a race condition where freed memory can be accessed again, leading to potential memory corruption and arbitrary code execution. The vulnerability is classified as a use-after-free under CWE-416, which specifically addresses the use of memory after it has been freed, representing one of the most dangerous classes of memory safety vulnerabilities.

The operational impact of this vulnerability extends beyond simple memory corruption, as it can be exploited to achieve privilege escalation and remote code execution within the kernel space. Attackers can leverage this condition to manipulate the kernel's memory layout, potentially gaining full control over the affected system. The multichannel nature of the vulnerability means that it affects configurations where clients establish multiple connections to the same SMB session, which is common in enterprise environments where high availability and performance optimization are implemented. This vulnerability directly impacts the ATT&CK technique T1068, which involves exploiting legitimate credentials and privileges to gain system access, as the compromised kernel functionality can be used to escalate privileges and maintain persistent access.

Mitigation strategies for CVE-2025-22041 must address both immediate patching requirements and architectural considerations for SMB implementations. System administrators should prioritize applying the kernel patches that resolve the use-after-free condition in ksmbd_sessions_deregister() to prevent exploitation. Additionally, network segmentation and access controls should be implemented to limit exposure to potentially malicious SMB connections, particularly in environments where multichannel SMB is actively used. The fix typically involves proper reference counting mechanisms and ensuring that session structures are not accessed after being freed from the global session table. Organizations should also monitor for unusual SMB connection patterns and implement intrusion detection systems that can identify potential exploitation attempts targeting this specific vulnerability class.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00564

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!