Linux Kernel ksmbd Type Confusion Vulnerability via Race Condition in IPC Message Handling

Vulnerability

A type confusion vulnerability has been identified in the Linux kernel's ksmbd component. This issue arises from a race condition in the handling of IPC messages, specifically when the ipc_msg_send_request's handle is allocated using ksmbd_acquire_id. The vulnerability allows req->handle from ksmbd_ipc_login_request and the FSCTL_PIPE_TRANSCEIVE ioctl to overlap, leading to confusion between messages. As a result, this could permit access to unintended areas of memory following an incorrect message delivery. While ksmbd verifies the type of IPC responses, it fails to properly manage the continuation to the next response, leaving a gap in the handling process.

Impact

Exploitation of this vulnerability could result in unauthorized access to memory, potentially leading to information disclosure or manipulation.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

5.0

exploitability

5.0

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

5.0

exploitability

5.0

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel ksmbd Type Confusion Vulnerability via Race Condition in IPC Message Handling

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating