CVE-2025-68263

Critical

Published: 16 December 2025

Published

16 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request()…

used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is copying data into entry->response while ipc_msg_send_request() has just freed it, leading to a slab-use-after-free reported by KASAN in handle_generic_event(): BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] Write of size 12 at addr ffff888198ee6e20 by task pool/109349 ... Freed by task: kvfree ipc_msg_send_request [ksmbd] ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd] Fix by: - Taking ipc_msg_table_lock in ipc_msg_send_request() while validating entry->response, freeing it when invalid, and removing the entry from ipc_msg_table. - Returning the final entry->response pointer to the caller only after the hash entry is removed under the lock. - Returning NULL in the error path, preserving the original API semantics. This makes all accesses to entry->response consistent with handle_response(), which already updates and fills the response buffer under ipc_msg_table_lock, and closes the race that allowed the UAF.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free vulnerability by applying kernel patches that hold ipc_msg_table_lock during response validation and freeing in ipc_msg_send_request.

SC-7 Boundary Protection partial match

prevent

Monitors and controls network communications at boundaries to restrict unauthenticated remote access to the exposed ksmbd SMB service, preventing trigger of the high-concurrency race condition.

CM-7 Least Functionality partial match

prevent

Configures the system for least functionality by disabling unnecessary kernel modules like ksmbd when SMB services are not required, reducing the attack surface for this vulnerability.

Security SummaryAI

CVE-2025-68263 is a use-after-free vulnerability in the Linux kernel's ksmbd module, specifically in the ipc_msg_send_request function. This issue arises from a race condition under high concurrency, where ipc_msg_send_request waits for a generic netlink reply using a stack-allocated ipc_msg_table_entry. The generic netlink handlers (handle_generic_event and handle_response) fill entry->response under ipc_msg_table_lock, but ipc_msg_send_request previously validated and freed entry->response without holding the lock, allowing handle_response to copy data into a freed buffer. The vulnerability was detected by KASAN during operations like ksmbd_rpc_open and ksmbd_session_rpc_open, affecting systems running the ksmbd kernel SMB server.

Remote attackers require no privileges or user interaction to exploit this vulnerability, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation involves triggering the race during high-concurrency scenarios in ksmbd IPC messaging, potentially leading to slab-use-after-free writes that could enable arbitrary code execution, data corruption, or denial of service. The unauthenticated network accessibility of ksmbd makes it feasible for attackers to target exposed SMB services.

Mitigation requires applying the upstream kernel patches referenced in the stable git commits, such as 1fab1fa091f5aa97265648b53ea031deedd26235, 5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e, 708a620b471a14466f1f52c90bf3f65ebdb31460, 759c8c30cfa8706c518e56f67971b1f0932f4b9b, and 8229c6ca50cea701e25a7ee25f48441b582ec5fa. These fixes ensure ipc_msg_table_lock is held during validation, freeing, and removal of the entry in ipc_msg_send_request, while returning the response pointer only after lock-protected removal, closing the race and preserving API semantics.

Details

CWE(s): None listed

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote, unauthenticated use-after-free in the Linux kernel's ksmbd SMB server, enabling exploitation of a remote service for code execution, directly mapping to T1210: Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1
416baaa9-dc9f-4396-8d5f-8c081fb06d67