{"id":6984,"date":"2025-09-17T10:04:18","date_gmt":"2025-09-17T10:04:18","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/09\/17\/linux-kernels-ksmbd-subsystem-vulnerability-let-remote-attackers-exhaust-server-resources\/"},"modified":"2025-09-17T10:04:18","modified_gmt":"2025-09-17T10:04:18","slug":"linux-kernels-ksmbd-subsystem-vulnerability-let-remote-attackers-exhaust-server-resources","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/09\/17\/linux-kernels-ksmbd-subsystem-vulnerability-let-remote-attackers-exhaust-server-resources\/","title":{"rendered":"Linux Kernel\u2019s KSMBD Subsystem Vulnerability Let Remote Attackers Exhaust Server Resources"},"content":{"rendered":"

Linux Kernel\u2019s KSMBD Subsystem Vulnerability Let Remote Attackers Exhaust Server Resources
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A denial-of-service flaw in the Linux kernel\u2019s KSMBD<\/a> (SMB Direct) subsystem has raised alarms across the open-source community.\u00a0<\/p>\n

Tracked as CVE-2025-38501, the issue allows a remote, unauthenticated adversary to exhaust all available SMB connections by exploiting the kernel\u2019s handling of half-open TCP sessions.\u00a0<\/p>\n

Key Takeaways<\/strong>
1. CVE-2025-38501 lets attackers exhaust KSMBD connections via half-open TCP handshakes.
2. PoC \u201cKSMBDrain\u201d floods servers with SYN packets to trigger the flaw.
3. Patched in Linux 6.1.15+; upgrade or rate-limit port 445.<\/pre>\n
A public proof-of-concept exploit, dubbed KSMBDrain, demonstrates how attackers can overwhelm a KSMBD server simply by initiating thousands of TCP three-way handshakes and then failing to complete the session, causing the server to hold sockets indefinitely.<\/p>\n
KSMBD DoS Attack<\/strong><\/h2>\n
The flaw originates from KSMBD\u2019s default behavior of retaining incomplete connections without an upper limit on pending SYN\u2013ACK sockets. When a client sends a SYN, the kernel replies with a SYN\u2013ACK and awaits the final ACK.\u00a0<\/p>\n
If that ACK never arrives, KSMBD will keep the connection slot open. By repeatedly sending SYN packets from a single IP address, an attacker can saturate the server\u2019s max_connections limit configured in \/etc\/ksmbd\/ksmbd.conf, resulting in a complete denial of subsequent legitimate SMB traffic.\u00a0<\/p>\n
Although administrators can set a handshake_timeout as low as one minute, this only slows the attack rather than preventing it, since an attacker can continuously reopen new half-open sessions.<\/p>\n
The publicly available PoC<\/a>, written in Python, leverages raw sockets to mass-spawn handshake attempts. A snippet from poc.py reveals the simplicity of the exploit:<\/p>\n
\n
\"KSMBD
KSMBD DoS Attack<\/strong><\/figcaption><\/figure>\n<\/div>\n
Running this script against a vulnerable server quickly depletes the connection pool, rendering SMB shares inaccessible and effectively halting file transfers and authentication services.<\/p>\n
\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\nLinux Kernel KSMBD subsystem (versions 5.3 and later)<\/td>\n<\/tr>\n
Impact<\/td>\nDenial of Service<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\nNetwork connectivity to target KSMBD server on TCP port 445; No authentication required<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\nNot yet assigned<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Mitigations<\/strong><\/h2>\n
The vulnerability was introduced in Linux kernel 5.3 when the KSMBD module was merged into the mainline.\u00a0Upstream maintainers addressed the issue in commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which adds a configurable backlog limit and enforces a shorter tcp_synack_retries threshold for half-open sockets.\u00a0<\/p>\n
Distributions have begun rolling out updated kernel packages; users should apply the fix by upgrading to Linux 6.1.15 or later.<\/p>\n
In environments where an immediate kernel upgrade<\/a> is impractical, network-level rate limiting on TCP port 445 and stricter firewall rules can help mitigate exploitation.\u00a0<\/p>\n
Additionally, security teams are advised to monitor for an abnormal number of SYN packets and to adjust KSMBD\u2019s user-space settings to lower handshake_timeout and limit backlog counts.<\/p>\n
As SMB services remain a critical component for file sharing and authentication<\/a> in enterprise networks, prompt patching is essential.\u00a0<\/p>\n
The KSMBDrain exploit underscores the importance of defending against resource exhaustion attacks that leverage protocol-level quirks rather than code injection or privilege escalation<\/a>.\u00a0<\/p>\n
Continuous monitoring and maintaining up-to-date kernel versions will mitigate the risk posed by CVE-2025-38501.<\/p>\n
Free live\u00a0webinar\u00a0on new malware tactics from our analysts! Learn advanced detection techniques ->\u00a0Register for Free<\/a><\/code><\/strong><\/p>\n
The post Linux Kernel\u2019s KSMBD Subsystem Vulnerability Let Remote Attackers Exhaust Server Resources<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Florence Nightingale
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
Linux Kernel\u2019s KSMBD Subsystem Vulnerability Let Remote Attackers Exhaust Server Resources A denial-of-service flaw in the Linux kernel\u2019s KSMBD (SMB Direct) subsystem has raised alarms across the open-source community.\u00a0 Tracked as CVE-2025-38501, the issue allows a remote, unauthenticated adversary to exhaust all available SMB connections by exploiting the kernel\u2019s handling of half-open TCP sessions.\u00a0 Key […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-6984","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6984"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6984"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6984\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}