CVE-2025-40285

Vulnerability

Description

A reference count leak has been found in the SMB server implementation within the Linux kernel. The issue occurs in the smb2_sess_setup() function, where the reference count of a ksmbd_session object is not properly decremented when a session needs to reconnect. This missing ksmbd_user_session_put() call means the session's reference count remains elevated even after it should have been released [1][2][3].

Exploitation and

Impact

The vulnerability can be triggered through normal SMB session reconnection operations, requiring only the ability to initiate SMB connections to a vulnerable kernel's SMB server. An attacker who can cause repeated session reconnections could gradually exhaust the reference count resources, potentially leading to a denial-of-service condition. No special privileges are needed beyond basic network access to the SMB server port.

Mitigation

The fix has been applied to the Linux kernel stable branches, as seen in the upstream commit references [1][2][3]. System administrators should update their kernels to include the patch that adds the missing ksmbd_user_session_put() call to properly balance the reference count during session setup failure or reconnection paths.