Safety researchers have launched a full proof-of-concept (PoC) exploit for a high-severity vulnerability within the Linux kernel’s ksmbd module, demonstrating a dependable path to native privilege escalation.
The vulnerability, tracked as CVE-2025-37947, is an out-of-bounds write that may be leveraged by an authenticated native attacker to achieve full root management over a susceptible system.
This discovery, detailed by researchers at Doyensec, is the fruits of intensive vulnerability analysis into the kernel-level Server Message Block (SMB) server, which has seen elevated adoption in latest Linux variations.
The general public launch of the exploit code underscores the sensible danger posed by this flaw to techniques operating the affected kernel module.
The basis reason behind CVE-2025-37947 lies throughout the ksmbd_vfs_stream_write() perform, which is accountable for dealing with write operations to file streams utilizing prolonged attributes.
The vulnerability may be triggered by an authenticated consumer on techniques the place ksmbd is configured with a writable share and the streams_xattr VFS module is enabled.
The flaw stems from improper measurement validation when a user-supplied place and information depend surpass the XATTR_SIZE_MAX restrict of 65,536 bytes.
Though the code truncates the allocation measurement for the buffer, it fails to regulate the depend for the memcpy operation accordingly.
This logic error permits an attacker to put in writing a managed quantity of information previous the boundary of the allotted kernel buffer, resulting in reminiscence corruption in an adjoining reminiscence area.
From Bug To Root Privilege Escalation
The Doyensec researchers detailed how this out-of-bounds write primitive may be escalated right into a full root exploit on a contemporary Linux system, particularly Ubuntu 22.04.5 LTS.
The exploitation technique entails a complicated, multi-stage course of that begins with heap shaping to control the kernel’s reminiscence structure.
By fastidiously allocating and releasing kernel objects, the attackers may place a managed sufferer object, a msg_msg kernel message construction, instantly after the susceptible buffer.
The out-of-bounds write is then used to deprave the msg_msg header, making a use-after-free (UAF) situation.
This UAF primitive is subsequently used to leak kernel reminiscence addresses, bypassing Kernel Handle House Structure Randomization (KASLR).
With KASLR defeated, the attackers reuse the UAF to overwrite a perform pointer in a pipe_buffer object, hijacking the kernel’s management circulation to execute a ROP chain that grants them root privileges.
Proof-of-Idea Exploit Launched
Of their disclosure, the researchers revealed the entire native privilege escalation exploit on GitHub. This enables different safety professionals to investigate the assault and validate its impression on their techniques.
Whereas the present exploit focuses on native entry, the researchers famous that distant exploitation is considerably tougher, as it might doubtless require a separate data disclosure vulnerability to defeat KASLR and make heap grooming dependable.
This discovering is a part of a broader safety audit of ksmbd by Doyensec, which has beforehand uncovered different important vulnerabilities, together with a number of unauthenticated race circumstances and reminiscence exhaustion flaws.
System directors are suggested to overview their use of ksmbd and make sure that their techniques are patched in opposition to CVE-2025-37947 as updates develop into accessible from their Linux distribution suppliers.
Cyber Consciousness Month Provide: Upskill With 100+ Premium Cybersecurity Programs From EHA’s Diamond Membership: Be part of Right this moment
