A significant denial-of-service (DoS) vulnerability has been identified in the Linux kernel’s KSMBD (SMB Direct) subsystem, raising serious concerns within the open-source community. Designated as CVE-2025-38501, this flaw enables remote, unauthenticated attackers to deplete all available SMB connections by exploiting the kernel’s handling of half-open TCP sessions.
Key Highlights:
1. Vulnerability Details: CVE-2025-38501 allows attackers to exhaust KSMBD connections through half-open TCP handshakes.
2. Proof-of-Concept Exploit: A publicly available exploit, termed KSMBDrain, demonstrates how servers can be overwhelmed by flooding them with SYN packets.
3. Patch Availability: The issue has been addressed in Linux kernel version 6.1.15 and later; users are advised to upgrade or implement rate-limiting measures on port 445.
Understanding the KSMBD DoS Attack:
The root of this vulnerability lies in KSMBD’s default behavior of maintaining incomplete connections without imposing an upper limit on pending SYN–ACK sockets. In a typical TCP handshake, when a client sends a SYN packet, the server responds with a SYN–ACK and awaits the final ACK to establish the connection. If the final ACK is not received, KSMBD continues to hold the connection slot open.
An attacker can exploit this by repeatedly sending SYN packets from a single IP address, thereby saturating the server’s `max_connections` limit configured in `/etc/ksmbd/ksmbd.conf`. This saturation results in a complete denial of service for legitimate SMB traffic.
While administrators can set the `handshake_timeout` parameter to as low as one minute, this measure only slows down the attack rather than preventing it. An attacker can continuously initiate new half-open sessions, rendering the timeout ineffective.
Proof-of-Concept Exploit – KSMBDrain:
The publicly available proof-of-concept exploit, KSMBDrain, is written in Python and utilizes raw sockets to mass-generate handshake attempts. By running this script against a vulnerable server, the connection pool is rapidly depleted, making SMB shares inaccessible and effectively halting file transfers and authentication services.
Risk Assessment:
– Affected Products: Linux Kernel KSMBD subsystem (versions 5.3 and later).
– Impact: Denial of Service.
– Exploit Prerequisites: Network connectivity to the target KSMBD server on TCP port 445; no authentication required.
– CVSS 3.1 Score: Not yet assigned.
Mitigation Strategies:
The vulnerability was introduced in Linux kernel version 5.3 when the KSMBD module was integrated into the mainline. Upstream maintainers have addressed the issue in commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which introduces a configurable backlog limit and enforces a shorter `tcp_synack_retries` threshold for half-open sockets.
Distributions have begun rolling out updated kernel packages; users are strongly encouraged to apply the fix by upgrading to Linux kernel version 6.1.15 or later.
In scenarios where an immediate kernel upgrade is not feasible, implementing network-level rate limiting on TCP port 445 and enforcing stricter firewall rules can help mitigate potential exploitation.
Additionally, security teams should monitor for an abnormal number of SYN packets and adjust KSMBD’s user-space settings to lower `handshake_timeout` and limit backlog counts.
Conclusion:
As SMB services are integral to file sharing and authentication in enterprise networks, prompt patching is crucial. The KSMBDrain exploit highlights the importance of defending against resource exhaustion attacks that exploit protocol-level vulnerabilities rather than relying on code injection or privilege escalation. Continuous monitoring and maintaining up-to-date kernel versions are essential steps to mitigate the risks associated with CVE-2025-38501.
