Linux Kernel ksmbd Use-After-Free RCE Vulnerability

Security researchers have discovered a Critical remote code execution (RCE) vulnerability in Linux 5.15 Kernel Server Message Block (SMB) server, ksmbd.

KSMBD is a linux kernel server which implements SMB3 protocol in kernel space (ksmbd) for sharing files over network. When started, the server daemon then starts up a forker thread (ksmbd/interface name) at initialization time and opens a dedicated port 445 for listening to SMB requests.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable,” Zero Day Initiative (ZDI) wrote in an advisory.

“The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel,” ZDI added.

The vulnerability has a CVSS score of 10.0, but does not yet have a CVE assigned to it.

The Linux Foundation also issued an update to correct this vulnerability.

Related Articles