cbcvebase.
CVE-2025-37899
published 2025-05-20

CVE-2025-37899: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use…

PriorityP276high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.35%
27.3th percentile
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user.

Affected

20 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 6.1.159-1 (bookworm)linux 6.1.159-1 (bookworm)
debianlinux-6.1< linux 6.1.159-1 (bookworm)linux 6.1.159-1 (bookworm)
linuxlinux
linuxlinux>= 0626e6641f6b467447c81dd7678a69c66f7746cf < 931dc8a3670f71c45c0b1379ea4e92dafbda1aca931dc8a3670f71c45c0b1379ea4e92dafbda1aca
linuxlinux>= 0626e6641f6b467447c81dd7678a69c66f7746cf < 70ad6455139e26e85f48f95d0e21f351c190934270ad6455139e26e85f48f95d0e21f351c1909342
linuxlinux>= 0626e6641f6b467447c81dd7678a69c66f7746cf < d5ec1d79509b3ee01de02c236f096bc050221b7fd5ec1d79509b3ee01de02c236f096bc050221b7f
linuxlinux>= 0626e6641f6b467447c81dd7678a69c66f7746cf < 02d16046cd11a5c037b28c12ffb818c56dd3ef4302d16046cd11a5c037b28c12ffb818c56dd3ef43
linuxlinux>= 0626e6641f6b467447c81dd7678a69c66f7746cf < 2fc9feff45d92a92cd5f96487655d5be23fb7e2b2fc9feff45d92a92cd5f96487655d5be23fb7e2b
linuxlinux_kernel
linuxlinux_kernel>= 0 < 6.1.159-16.1.159-1
linuxlinux_kernel>= 0 < 6.12.29-16.12.29-1
linuxlinux_kernel>= 0 < 6.12.29-16.12.29-1
linuxlinux_kernel>= 0 < 6.8.0-101.1016.8.0-101.101
linuxlinux_kernel>= 0 < 6.14.0-24.246.14.0-24.24
linuxlinux_kernel>= 5.15 < 6.12.286.12.28
linuxlinux_kernel>= 6.13 < 6.14.66.14.6
msrcazl3_kernel_6.6.104.2-4_on_azure_linux_3.0
msrcazl3_kernel_6.6.96.2-1_on_azure_linux_3.0
msrcazl3_kernel_6.6.96.2-2_on_azure_linux_3.0
msrccbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists in the Linux kernel's ksmbd (SMB network file system) subsystem — specifically a use-after-free in session logoff triggered via concurrent SMB2 session setup requests binding to a session being freed. Monitor for unexpected ksmbd crashes or memory corruption in SMB server workloads.
  • The vulnerable code path is in the smb2_sess_setup function within the ksmbd kernel module. Detection should focus on concurrent SMB2 SESSION_SETUP requests targeting the same session on Linux SMB servers running ksmbd.
  • ·Debian bookworm fix is available in kernel version 6.1.159-1; forky, sid, and trixie are fixed in 6.12.29-1. Systems running older kernel versions remain vulnerable.
  • ·Red Hat Enterprise Linux 6, 7, 8, 9, and 10 (including kernel-rt variants) are all listed as Not Affected for this CVE.
  • ·The vulnerability scope is local and affects the SMB network file system (ksmbd) subsystem. Ubuntu's security notice groups it with CVE-2025-22037 under the same SMB subsystem fix.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
vendor_msrc4.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.