Linux Kernel’s KSMBD Subsystem Vulnerability Let Remote Attackers Exhaust Server Resources

A denial-of-service flaw in the Linux kernel’s KSMBD (SMB Direct) subsystem has raised alarms across the open-source community. 

Tracked as CVE-2025-38501, the issue allows a remote, unauthenticated adversary to exhaust all available SMB connections by exploiting the kernel’s handling of half-open TCP sessions. 

Key Takeaways
1. CVE-2025-38501 lets attackers exhaust KSMBD connections via half-open TCP handshakes.
2. PoC “KSMBDrain” floods servers with SYN packets to trigger the flaw.
3. Patched in Linux 6.1.15+; upgrade or rate-limit port 445.

A public proof-of-concept exploit, dubbed KSMBDrain, demonstrates how attackers can overwhelm a KSMBD server simply by initiating thousands of TCP three-way handshakes and then failing to complete the session, causing the server to hold sockets indefinitely.

KSMBD DoS Attack

The flaw originates from KSMBD’s default behavior of retaining incomplete connections without an upper limit on pending SYN–ACK sockets. When a client sends a SYN, the kernel replies with a SYN–ACK and awaits the final ACK. 

If that ACK never arrives, KSMBD will keep the connection slot open. By repeatedly sending SYN packets from a single IP address, an attacker can saturate the server’s max_connections limit configured in /etc/ksmbd/ksmbd.conf, resulting in a complete denial of subsequent legitimate SMB traffic. 

Although administrators can set a handshake_timeout as low as one minute, this only slows the attack rather than preventing it, since an attacker can continuously reopen new half-open sessions.

The publicly available PoC, written in Python, leverages raw sockets to mass-spawn handshake attempts. A snippet from poc.py reveals the simplicity of the exploit:

Running this script against a vulnerable server quickly depletes the connection pool, rendering SMB shares inaccessible and effectively halting file transfers and authentication services.

Risk Factors	Details
Affected Products	Linux Kernel KSMBD subsystem (versions 5.3 and later)
Impact	Denial of Service
Exploit Prerequisites	Network connectivity to target KSMBD server on TCP port 445; No authentication required
CVSS 3.1 Score	Not yet assigned

Mitigations

The vulnerability was introduced in Linux kernel 5.3 when the KSMBD module was merged into the mainline. Upstream maintainers addressed the issue in commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which adds a configurable backlog limit and enforces a shorter tcp_synack_retries threshold for half-open sockets. 

Distributions have begun rolling out updated kernel packages; users should apply the fix by upgrading to Linux 6.1.15 or later.

In environments where an immediate kernel upgrade is impractical, network-level rate limiting on TCP port 445 and stricter firewall rules can help mitigate exploitation. 

Additionally, security teams are advised to monitor for an abnormal number of SYN packets and to adjust KSMBD’s user-space settings to lower handshake_timeout and limit backlog counts.

As SMB services remain a critical component for file sharing and authentication in enterprise networks, prompt patching is essential. 

The KSMBDrain exploit underscores the importance of defending against resource exhaustion attacks that leverage protocol-level quirks rather than code injection or privilege escalation. 

Continuous monitoring and maintaining up-to-date kernel versions will mitigate the risk posed by CVE-2025-38501.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free

The post Linux Kernel’s KSMBD Subsystem Vulnerability Let Remote Attackers Exhaust Server Resources appeared first on Cyber Security News.