Full Report
The author of this post found a vulnerability in the Linux kernel SMB implementation then used it to find a variant in the codebase later. This is the story of that happening. CVE-2025-37778 is a use-after-free vulnerability and the original bug that was spotted. In the session setup request for Kerberos, if the state is SMB2_SESSION_VALID then the sess->user object is freed. This is done in order to prevent a UAF later. Sadly, there is a code path that allows for the usage of this entity even when it's not initialized via concurrency issus. This is the basis of this vulnerability. CVE-2025-37778 is a use-after-free vulnerability and the original bug that was spotted. In the session setup request for Kerberos, if the state is SMB2_SESSION_VALID then the sess->user object is freed. This is done in order to prevent a UAF later. Sadly, there is a code path that allows for the usage of this entity even when it's not initialized via concurrency issus. This is the basis of this vulnerability. The general prompt contained the following: Look for use after free vulnerabilities. A deep explanation on ksmbd, its threat model and architecture. Be cautious. Favor not reporting false positives. At the end of this, the author repeated the experiment 100 times. Out of these runs, 8 of them found the bug, 66 didn't find the bug and 28 reported false positives. When running the code with ALL of the command handlers at once, it led to 1 out of 100 discovery rate. It's interesting to see the discovery fluxate so much. While running these scans on their vulnerability, there was a new bug being reported about a UAF via bad concurrency handling in the SMB2_SESSION_LOGOFF code. The author shows the direct output from the LLM and it's pretty precise! It's able to reason about two workers hitting the code at the same time, leading to a UAF. The signal to noise ratio is high at about 1:50. Still, this is a good step in the right direction and the tooling will onlt get better going forward. Awesome write up on vulnerability discovery in the Linux kernel using LLMs!
Analysis Summary
# Vulnerability: Use-After-Free in Linux Kernel ksmbd SMB3 Implementation
## CVE Details
- **CVE ID:** CVE-2025-37899 (and variant CVE-2025-37778)
- **CVSS Score:** Not yet finalized (Estimated: 8.1 - 9.8)
- **Severity:** Critical
- **CWE:** CWE-416 (Use After Free), CWE-362 (Race Condition)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Vulnerable prior to the fix in May 2025 (affected versions include 6.x branches where ksmbd is active).
- **Configurations:** Systems running the `ksmbd` kernel-mode SMB server with session binding or Kerberos authentication enabled.
## Vulnerability Description
The vulnerability is a Use-After-Free (UAF) rooted in improper concurrency handling within the `ksmbd` SMB3 server implementation.
1. **CVE-2025-37778 (The "Kerberos" Bug):** During a session setup request using Kerberos, if a session is already marked as `SMB2_SESSION_VALID`, the `sess->user` object is freed. If the subsequent authentication fails or follows specific code paths, `sess->user` may be accessed after being freed because it was not properly re-initialized or nullified before other threads could access the session.
2. **CVE-2025-37899 (The "Logoff" Zero-day):** A variant found in the `SMB2_SESSION_LOGOFF` handler. Because ksmbd allows multiple connections to share the same session, one thread can initiate a logoff—freeing the session's user object—while another concurrent request (thread) is still utilizing that same object. The Lack of reference counting on the `user` object allows this race condition to trigger a UAF.
## Exploitation
- **Status:** PoC described; discovered via automated LLM reasoning (OpenAI o3). Reported as a zero-day.
- **Complexity:** Medium (Requires timing concurrent requests/session binding).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential memory disclosure)
- **Integrity:** High (Potential for memory corruption and code execution)
- **Availability:** High (Kernel panic/System crash)
## Remediation
### Patches
- **Linux Kernel Mainline:** A fix has been committed to the official Linux repository.
- **Specific Commit:** `2fc9feff45d92a92cd5f96487655d5be23fb7e2b`
- **Action:** Update to the latest stable kernel version (e.g., 6.13+ or patched LTS releases).
### Workarounds
- Disable the `ksmbd` module if not strictly required for kernel-space SMB performance.
- Use the user-space `samba` implementation as an alternative, which is not affected by this kernel-level UAF.
## Detection
- **Indicators of Compromise:** Unusual kernel oops or crashes involving `ksmbd` functions (e.g., `smb2_session_logoff` or `krb5_authenticate`).
- **Detection Methods:** Monitor for multiple session setup/logoff requests occurring rapidly from the same source IP/Client ID, which may indicate a race condition exploitation attempt.
## References
- **Vendor Advisory:** [https://github.com/torvalds/linux/commit/2fc9feff45d92a92cd5f96487655d5be23fb7e2b]
- **Original Source:** [https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/]
- **Kernel Documentation:** [https://www.kernel.org/doc/html/v6.6/filesystems/smb/ksmbd.html]