KSMBDrain (CVE-2025-38501): Linux Kernel Flaw Allows Remote DoS Attacks, PoC Available

A newly disclosed vulnerability in the Linux kernel’s KSMBD subsystem has been assigned CVE-2025-38501, allowing remote attackers to exhaust server resources and cause denial-of-service (DoS) conditions. The flaw, discovered by security researcher Tianshuo Han, affects Linux kernels since version 5.3, when KSMBD was first merged into mainline.

According to the researcher, “This issue allows a remote attacker to exhaust the KSMBD server’s TCP connection limit and prevent other normal client connections.”

Dubbed KSMBDrain, the vulnerability arises from how the KSMBD subsystem handles TCP connections. By initiating a three-way TCP handshake but deliberately not completing the session, attackers can force the KSMBD server to indefinitely hold these half-open connections.

Han explains, “A remote attacker can exhaust a KSMBD server’s maximum connection limit by performing a TCP 3-way handshake and then not responding to further packets. By default, the KSMBD server will hold such connections indefinitely, allowing an attacker to consume all available connections.”

Although administrators can configure a timeout in the KSMBD user-space configuration file (with a minimum of one minute), this does little to prevent abuse. Even from a single IP address, attackers can repeatedly initiate bogus connections, effectively blocking legitimate clients from accessing SMB services.

The vulnerability exposes Linux servers running KSMBD to remote denial-of-service attacks, disrupting SMB file sharing services critical to enterprises. Exploitation does not require authentication, significantly lowering the attack barrier.

A public proof-of-concept (PoC) has already been released on GitHub. The usage instructions are straightforward, making exploitation trivial:

1. Start a vulnerable KSMBD server.
2. Set the victim IP in poc.py.
3. Run the script to initiate repeated TCP handshakes.

The issue has been fixed in Linux kernel commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which modifies how KSMBD handles incomplete TCP handshakes.

System administrators are strongly advised to:

• Update to the patched kernel version immediately.
• Monitor unusual TCP connection spikes that may indicate exploitation attempts.
• Apply connection rate-limiting and firewall rules to reduce exposure until updates are applied.

Related Posts:

• Critical Remote Code Execution Vulnerability in Linux Kernel
• PoC Published: Linux Kernel 0-Click RCE Vulnerability Found in ksmbd
• CVE-2024-26592 & 26594: Critical Linux Kernel Flaws Open Door for Code Execution and Data Theft
• Flaw in Linux Kernel Allows Unauthenticated remote DOS Attacks
• Critical Linux Kernel SMB Server Bugs Uncovered, PoC Published

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy