CVE-2025-39720 in Linuxinfo

Summary

by MITRE • 09/05/2025

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix refcount leak causing resource not released

When ksmbd_conn_releasing(opinfo->conn) returns true,the refcount was not decremented properly, causing a refcount leak that prevents the count from reaching zero and the memory from being released.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/09/2026

The vulnerability identified as CVE-2025-39720 resides within the Linux kernel's ksmbd subsystem, which provides SMB/CIFS file sharing capabilities for Linux systems. This issue represents a classic reference counting problem that can lead to significant resource management failures within the kernel's memory allocation mechanisms. The ksmbd component serves as a kernel-space implementation for SMB protocol handling, enabling Linux systems to function as SMB servers for file and printer sharing services. When systems utilize this functionality, particularly in enterprise environments or network-attached storage configurations, the improper handling of reference counts can create persistent resource leaks that degrade system performance over time.

The technical flaw manifests in the ksmbd_conn_releasing function where the reference count decrement operation fails to execute properly when the function returns a true value. This condition occurs during the connection release process when the system attempts to clean up resources associated with SMB connections. The reference counting mechanism, which is fundamental to kernel memory management, relies on precise increment and decrement operations to track object usage and determine when memory can be safely freed. When the decrement operation is omitted or fails to execute, the reference count remains artificially inflated, preventing the kernel's memory management subsystem from recognizing that the connection object is no longer in use and should be deallocated.

The operational impact of this vulnerability extends beyond simple memory consumption issues, potentially leading to system instability and resource exhaustion over extended periods of operation. As the reference count leak accumulates across multiple connection sessions, system memory becomes progressively consumed by unreleased connection objects, which can result in reduced system performance, increased latency in connection handling, and eventually system crashes or hangs. This type of resource leak particularly affects high-traffic SMB servers where numerous concurrent connections are established and terminated, as each improperly handled connection contributes to the growing memory footprint. The vulnerability is classified under CWE-404, which addresses improper resource management and resource leaks in software systems, and aligns with ATT&CK technique T1490, which involves resource exhaustion attacks that can be facilitated through memory leaks.

Mitigation strategies for CVE-2025-39720 should focus on implementing proper reference count management within the ksmbd subsystem. System administrators should prioritize applying the latest kernel updates that contain the patched implementation of the ksmbd connection release mechanism. The fix requires ensuring that when ksmbd_conn_releasing(opinfo->conn) returns true, the corresponding reference count is properly decremented to allow the memory management subsystem to correctly release the connection object. Additionally, monitoring systems should be implemented to track memory usage patterns and connection counts on SMB servers, as early detection of resource consumption anomalies can help identify potential impacts from similar reference counting issues. Organizations should also consider implementing connection limiting measures and regular system restart procedures to mitigate the cumulative effects of such resource leaks while awaiting official patches. The vulnerability demonstrates the critical importance of proper resource management in kernel-space code and highlights the need for comprehensive testing of reference counting logic in high-availability server implementations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/05/2025

Moderation

accepted

CPE

ready

EPSS

0.00135

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!