Shake Network Technology NewsClick the right to follow for the latest technology news!
A denial-of-service vulnerability has been discovered in the KSMBD (SMB Direct) subsystem of the Linux kernel, which has garnered widespread attention in the open-source community. This vulnerability, identified as CVE-2025-38501, allows remote attackers to exhaust all available SMB connections without authentication by exploiting the kernel’s handling of half-open TCP sessions.Part01
Key Points
- CVE-2025-38501 allows attackers to exhaust KSMBD connections through half-open TCP handshakes.
- The proof-of-concept tool “KSMBDrain” triggers the vulnerability via SYN flooding.
- Linux versions 6.1.15 and above have been patched; upgrading or implementing rate limiting on port 445 is recommended.
The publicly available proof-of-concept tool KSMBDrain demonstrates the attack principle: an attacker can initiate thousands of TCP three-way handshakes without completing the session establishment, causing the server to indefinitely maintain socket connections.
Part02
Mechanism of KSMBD Denial-of-Service Attack
The vulnerability arises from KSMBD’s default behavior of retaining incomplete connections without limit. When a client sends a SYN packet, the kernel replies with a SYN-ACK and waits for the final ACK confirmation. If the ACK is never received, KSMBD continues to occupy the connection slot. An attacker can quickly exhaust the max_connections limit configured in /etc/ksmbd/ksmbd.conf by repeatedly sending SYN packets from a single IP address, leading to a complete denial of legitimate SMB traffic.Although administrators can set the handshake_timeout to a minimum of one minute, this only delays the attack and does not provide complete defense, as attackers can continuously initiate new half-open connections.A publicly available Python PoC utilizes raw sockets to batch initiate handshake attempts. The attack method is extremely simple, as seen in the poc.py code snippet:
Illustration of KSMBD Denial-of-Service Attack. This script can quickly exhaust the connection pool when run against a vulnerable server, rendering SMB shares unavailable and completely interrupting file transfer and authentication services.
Part03
Mitigation Measures
This vulnerability was introduced with Linux kernel version 5.3 when the KSMBD module was merged into the mainline. Upstream maintainers have addressed this issue by submitting e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which added configurable backlog connection limits and implemented stricter tcp_synack_retries thresholds for half-open sockets.Various distributions have begun pushing updated kernel packages, and users are advised to upgrade to Linux 6.1.15 or higher. If immediate kernel upgrades are not possible, the following measures can mitigate the risk:
- Implement rate limiting on TCP port 445 at the network layer.
- Configure stricter firewall rules.
- Monitor the number of abnormal SYN packets.
- Adjust KSMBD user space settings to reduce handshake_timeout and limit backlog connections.
Given that SMB services play a critical role in file sharing and authentication within enterprise networks, it is recommended to patch as soon as possible. The KSMBDrain vulnerability highlights the importance of defending against resource exhaustion attacks that exploit protocol characteristics rather than code injection or privilege escalation. Continuous monitoring and keeping the kernel version updated are key measures to mitigate the risks associated with CVE-2025-38501.
Share
Collect
Like
View