Security researchers have released a full proof-of-concept (PoC) exploit for a high-severity vulnerability in the Linux kernel\u2019s The vulnerability, tracked as CVE-2025-37947, is an out-of-bounds write<\/a> that can be leveraged by an authenticated local attacker to gain complete root control over a vulnerable system.<\/p>\n This discovery, detailed by researchers at Doyensec, is the culmination of extensive vulnerability research into the kernel-level Server Message Block (SMB) server, which has seen increased adoption in recent Linux versions. <\/p>\n The public release of the exploit code underscores the practical risk posed by this flaw to systems running the affected kernel module.<\/p>\n The root cause of CVE-2025-37947<\/a> lies within the The vulnerability can be triggered by an authenticated user on systems where The flaw stems from improper size validation when a user-supplied position and data count surpass the Although the code truncates the allocation size for the buffer, it fails to adjust the count for the This logic error allows an attacker to write a controlled amount of data past the boundary of the allocated kernel buffer, leading to memory corruption in an adjacent memory region.<\/p>\n The Doyensec researchers detailed<\/a> how this out-of-bounds write primitive can be escalated into a full root exploit on a modern Linux system, specifically Ubuntu 22.04.5 LTS.<\/p>\n The exploitation strategy involves a sophisticated, multi-stage process that begins with heap shaping to manipulate the kernel\u2019s memory layout. <\/p>\n By carefully allocating and freeing kernel objects, the attackers could position a controlled victim object, a The out-of-bounds write is then used to corrupt the This UAF primitive is subsequently used to leak kernel memory addresses, bypassing Kernel Address Space Layout Randomization (KASLR). <\/p>\n With KASLR defeated, the attackers reuse the UAF to overwrite a function pointer in a In their disclosure, the researchers published the complete local privilege escalation exploit on GitHub<\/a>. This allows other security professionals to analyze the attack and validate its impact on their systems.<\/p>\n While the current exploit focuses on local access, the researchers noted that remote exploitation is significantly more challenging, as it would likely require a separate information disclosure vulnerability to defeat KASLR<\/a> and make heap grooming reliable.<\/p>\n This finding is part of a broader security audit of System administrators are advised to review their use of The post Linux Kernel ksmbd Filesystem Vulnerability Exploited \u2013 PoC Released<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nksmbd<\/code> module, demonstrating a reliable path to local privilege escalation. <\/p>\nksmbd_vfs_stream_write()<\/code> function, which is responsible for handling write operations to file streams using extended attributes.<\/p>\nksmbd<\/code> is configured with a writable share and the streams_xattr<\/code> VFS module is enabled. <\/p>\nXATTR_SIZE_MAX<\/code> limit of 65,536 bytes. <\/p>\nmemcpy<\/code> operation accordingly. <\/p>\nFrom Bug To Root Privilege Escalation<\/strong><\/h2>\n
msg_msg<\/code> kernel message structure, directly after the vulnerable buffer. <\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgzjjJPLdBVhaJWQfRZ-aJ5SW7wZQzQ8gCzqAmZI7YgAlxTj0Uy3ALzYCT-JyCpyscoruzlkZlaSNXTdzUP0AMw3sgHWX1zJ0Z44q66wARNg1YXy6Yl9Cjoy-9kuHBy4F1fhH6PxOgCFQGUBG2MM3HlK6a7hANhoBIcaata5B1R7aqPsDSRYHrw6gxYgibj\/s1600\/GitLab%2520Security%2520Upda..._imresizer%282%29.webp?ssl=1\")
<\/figure>\n<\/div>\nmsg_msg<\/code> header, creating a use-after-free (UAF)<\/a> condition.<\/p>\npipe_buffer<\/code> object, hijacking the kernel\u2019s control flow to execute a ROP chain that grants them root privileges.<\/p>\nProof-of-Concept Exploit Released<\/strong><\/h2>\n
ksmbd<\/code> by Doyensec, which has previously uncovered other critical vulnerabilities, including several unauthenticated race conditions and memory exhaustion flaws. <\/p>\nksmbd<\/code> and ensure that their systems are patched against CVE-2025-37947 as updates become available from their Linux distribution providers.<\/p>\nCyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today<\/a><\/code><\/strong><\/p>\n