SB2025031270 - Improper locking in Linux kernel ksmbd
Published: March 12, 2025 Updated: May 11, 2025
Security Bulletin ID
SB2025031270
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper locking (CVE-ID: CVE-2024-58087)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the check_session_id(), smb2_check_user_session(), smb2_sess_setup(), smb2_session_logoff() and smb3_decrypt_req() functions in fs/ksmbd/smb2pdu.c, within the ksmbd_session_lookup() and ksmbd_session_lookup_slowpath() functions in fs/ksmbd/mgmt/user_session.c, within the ksmbd_get_encryption_key() function in fs/ksmbd/auth.c. A local user can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/2107ab40629aeabbec369cf34b8cf0f288c3eb1b
- https://git.kernel.org/stable/c/37a0e2b362b3150317fb6e2139de67b1e29ae5ff
- https://git.kernel.org/stable/c/450a844c045ff0895d41b05a1cbe8febd1acfcfd
- https://git.kernel.org/stable/c/a39e31e22a535d47b14656a7d6a893c7f6cf758c
- https://git.kernel.org/stable/c/b95629435b84b9ecc0c765995204a4d8a913ed52
- https://www.zerodayinitiative.com/advisories/ZDI-25-100/
- https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.176
- https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.121
- https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.6
- https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.13
- https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.67