A denial-of-service vulnerability has been discovered in the KSMBD (SMB Direct) subsystem of the Linux kernel, which has garnered significant attention in the open-source community. This vulnerability, identified as CVE-2025-38501, allows remote attackers to exhaust all available SMB connections without authentication by exploiting the kernel’s handling of half-open TCP sessions.
01
Key Points
CVE-2025-38501 allows attackers to exhaust KSMBD connections through half-open TCP handshakes.
The proof-of-concept tool “KSMBDrain” triggers the vulnerability via SYN flooding.
Versions 6.1.15+ of Linux have been patched; upgrading or implementing rate limiting on port 445 is recommended.
The publicly available proof-of-concept tool KSMBDrain demonstrates the attack principle: an attacker can initiate thousands of TCP three-way handshakes without completing the session establishment, causing the server to indefinitely maintain socket connections.
02
Mechanism of KSMBD Denial-of-Service Attack
The vulnerability arises from KSMBD’s default behavior of retaining incomplete connections without limit. When a client sends a SYN packet, the kernel replies with a SYN-ACK and waits for the final ACK confirmation. If the ACK is never received, KSMBD continues to occupy connection slots. An attacker can quickly exhaust the max_connections limit configured in /etc/ksmbd/ksmbd.conf by repeatedly sending SYN packets from a single IP address, leading to a complete denial of legitimate SMB traffic.
Although administrators can set the handshake_timeout to a minimum of one minute, this only delays the attack and does not provide complete defense, as attackers can continuously initiate new half-open connections.
The publicly available Python PoC utilizes raw sockets to batch initiate handshake attempts. The attack method is extremely simple, as seen in the poc.py code snippet:
# Example code snippet here
The KSMBD denial-of-service attack diagram shows that when this script runs against a vulnerable server, it can quickly exhaust the connection pool, rendering SMB shares unavailable and completely interrupting file transfer and authentication services.
03
Mitigation Measures
This vulnerability was introduced with Linux kernel version 5.3 when the KSMBD module was merged into the mainline. Upstream maintainers have fixed this issue by submitting e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which added configurable backlog connection limits and implemented stricter tcp_synack_retries thresholds for half-open sockets.
Various distributions have begun pushing updated kernel packages, and users should upgrade to Linux 6.1.15 or higher. If immediate kernel upgrades are not possible, the following measures can mitigate risks:
-
Implement rate limiting on TCP port 445 at the network layer
-
Configure stricter firewall rules
-
Monitor the number of abnormal SYN packets
-
Adjust KSMBD user space settings to reduce handshake_timeout and limit backlog connections
Given that SMB services play a critical role in enterprise networks for file sharing and authentication,it is recommended to patch as soon as possible. The KSMBDrain vulnerability indicates that defending against resource exhaustion attacks that exploit protocol characteristics, rather than code injection or privilege escalation, is equally important.Continuous monitoring and keeping the kernel version updated are key measures to mitigate the risks of CVE-2025-38501.
References:
Linux Kernel’s KSMBD Subsystem Vulnerability Let Remote Attackers Exhaust Server Resources
https://cybersecuritynews.com/linux-kernels-ksmbd-subsystem-vulnerability/
END
▌Source: FreeBuf
Disclaimer:
The copyright of the articles published in this public account belongs to the original author, and is for readers’ learning, enhancing awareness of network security, and reference for network security protection. It is prohibited to use the information in this article for illegal or commercial purposes, and any consequences arising from violations shall be borne by the user. If the source is incorrectly marked, or if there are any infringements related to the software/materials contained in the images, text, or links used in the article, please contact us for deletion. Thank you!
WeChat ID丨HuaNuo Information Security
——Making connections safer and management simpler——