Recently, a denial-of-service vulnerability was discovered in the KSMBD (SMB Direct) subsystem of the Linux kernel, attracting widespread attention in the open-source community. This vulnerability, identified as CVE-2025-38501, allows remote and unauthenticated attackers to exploit the kernel’s handling of half-open TCP sessions to exhaust all available SMB connections.
The key aspect of this vulnerability is that it enables attackers to deplete KSMBD connections through half-open TCP handshakes. A proof-of-concept (PoC) exploit named “KSMBDrain” sends a large number of SYN packets to the server, triggering the vulnerability. Currently, patches have been released for Linux versions 6.1.15 and higher to address this issue, and users can choose to upgrade their kernel or apply rate limiting on port 445.

From the perspective of the vulnerability’s mechanism, the flaw arises from KSMBD’s default behavior when handling incomplete connections—it retains these incomplete connections and imposes no upper limit on pending SYN-ACK sockets. When a client sends a SYN packet, the kernel responds with a SYN-ACK and waits for the final ACK. If the ACK never arrives, KSMBD keeps the connection slot open. By repeatedly sending SYN packets from a single IP address, an attacker can saturate the `max_connections` limit configured in `/etc/ksmbd/ksmbd.conf`, thereby completely denying subsequent legitimate SMB traffic.
Although administrators can set `handshake_timeout` as low as one minute, this only slows down the attack rather than stopping it, as attackers can continuously reopen new half-open sessions.
The publicly available PoC exploit is written in Python and uses raw sockets to launch mass handshake attempts. From the code snippet of `poc.py`, it is evident that implementing this exploit is quite simple. When this script is run against an vulnerable server, it quickly exhausts the connection pool, rendering SMB shares inaccessible and effectively stalling file transfer and authentication services.

This vulnerability was introduced in version 5.3 of the Linux kernel when the KSMBD module was merged into the mainline. Upstream maintainers addressed this issue by submitting e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which added configurable backlog limits and enforced a shorter `tcp_synack_retries` threshold for half-open sockets. Various distributions have begun rolling out updated kernel packages, and users should apply the fix by upgrading to Linux 6.1.15 or higher.
In environments where immediate kernel upgrades are not possible, applying network-level rate limiting on TCP port 445 and implementing stricter firewall rules can help mitigate the risk of exploitation. Additionally, security teams are advised to monitor for an abnormal number of SYN packets and adjust KSMBD’s user space settings to lower `handshake_timeout` and limit backlog counts.
As SMB services remain a critical component for file sharing and authentication in enterprise networks, timely patching is essential. The “KSMBDrain” exploit highlights the importance of defending against resource exhaustion attacks, which exploit protocol-level characteristics rather than code injection or privilege escalation. Continuous monitoring and keeping the kernel version up to date will reduce the risks posed by CVE-2025-38501.
Source:securityaffairs
Reprint withsource and link to this article
﹀﹀﹀

Share

Like

View

Click to read the original text for more