Security researchers have released a full proof-of-concept (PoC) exploit for a high-severity vulnerability in the Linux kernel’s ksmbd module, demonstrating a reliable path to local privilege escalation.

The vulnerability, tracked as CVE-2025-37947, is an out-of-bounds write that can be leveraged by an authenticated local attacker to gain complete root control over a vulnerable system.

This discovery, detailed by researchers at Doyensec, is the culmination of extensive vulnerability research into the kernel-level Server Message Block (SMB) server, which has seen increased adoption in recent Linux versions.

The public release of the exploit code underscores the practical risk posed by this flaw to systems running the affected kernel module.

The root cause of CVE-2025-37947 lies within the ksmbd_vfs_stream_write() function, which is responsible for handling write operations to file streams using extended attributes.

The vulnerability can be triggered by an authenticated user on systems where ksmbd is configured with a writable share and the streams_xattr VFS module is enabled.

The flaw stems from improper size validation when a user-supplied position and data count surpass the XATTR_SIZE_MAX limit of 65,536 bytes.

Although the code truncates the allocation size for the buffer, it fails to adjust the count for the memcpy operation accordingly.

This logic error allows an attacker to write a controlled amount of data past the boundary of the allocated kernel buffer, leading to memory corruption in an adjacent memory region.

From Bug To Root Privilege Escalation

The Doyensec researchers detailed how this out-of-bounds write primitive can be escalated into a full root exploit on a modern Linux system, specifically Ubuntu 22.04.5 LTS.

The exploitation strategy involves a sophisticated, multi-stage process that begins with heap shaping to manipulate the kernel’s memory layout.

By carefully allocating and freeing kernel objects, the attackers could position a controlled victim object, a msg_msg kernel message structure, directly after the vulnerable buffer.

The out-of-bounds write is then used to corrupt the msg_msg header, creating a use-after-free (UAF) condition.

This UAF primitive is subsequently used to leak kernel memory addresses, bypassing Kernel Address Space Layout Randomization (KASLR).

With KASLR defeated, the attackers reuse the UAF to overwrite a function pointer in a pipe_buffer object, hijacking the kernel’s control flow to execute a ROP chain that grants them root privileges.

Proof-of-Concept Exploit Released

In their disclosure, the researchers published the complete local privilege escalation exploit on GitHub. This allows other security professionals to analyze the attack and validate its impact on their systems.

While the current exploit focuses on local access, the researchers noted that remote exploitation is significantly more challenging, as it would likely require a separate information disclosure vulnerability to defeat KASLR and make heap grooming reliable.

This finding is part of a broader security audit of ksmbd by Doyensec, which has previously uncovered other critical vulnerabilities, including several unauthenticated race conditions and memory exhaustion flaws.

System administrators are advised to review their use of ksmbd and ensure that their systems are patched against CVE-2025-37947 as updates become available from their Linux distribution providers.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Linux Kernel ksmbd Filesystem Vulnerability Exploited – PoC Released appeared first on Cyber Security News.