CVE-2025-40084

Vulnerability

Overview

CVE-2025-40084 is a missing bounds check in the Linux kernel's ksmbd (SMB server) kernel module's IPC transport layer. The handle_response() function in transport_ipc.c dereferences the payload as a 4-byte handle without first verifying that the declared payload size is at least 4 bytes. This oversight means a malformed or truncated message from the userspace daemon ksmbd.mountd.mountd can trigger a 4-byte read beyond the intended payload boundary [1][2].

Attack

Vector

An attacker who can influence the IPC messages sent by ksmbd.mountd (or who can spoof such messages) can exploit this flaw. No special privileges beyond the ability to send crafted IPC messages are required. The vulnerability is triggered during normal message handling, so no unusual network position is needed—the attacker must be able to interact with the ksmbd IPC channel [3][4].

Impact

Successful exploitation allows an attacker to read 4 bytes of kernel memory beyond the declared payload. This out-of-bounds read could leak sensitive information, such as kernel pointers or other data, potentially aiding in further attacks. The read is limited to 4 bytes, but the information disclosure may be sufficient to bypass KASLR or other mitigations.

Mitigation

The fix, which adds a size check before the handle dereference, has been applied to the Linux kernel stable trees. Users should update to a kernel version containing the commit [1][2][3][4]. No workaround is available; patching is required.