CVE-2025-40286

Vulnerability

In the Linux kernel's SMB server (ksmbd), the smb2_read() function allocates memory that is not freed when ksmbd_vfs_read() fails, leading to a memory leak [1]. The missing kvfree() call causes the allocated buffer to persist, gradually exhausting kernel memory over repeated failed SMB read operations.

Exploitation

An attacker with network access to the SMB server can trigger the leak by sending malformed SMB2 read requests that cause ksmbd_vfs_read() to return an error. No authentication is required if the server allows anonymous access; otherwise, valid credentials are needed. The attack is low-complexity and can be performed remotely.

Impact

Successful exploitation results in a denial of service (DoS) due to kernel memory exhaustion. The system may become unresponsive, crash, or require a reboot to recover. There is no evidence of information disclosure or privilege escalation from this bug.

Mitigation

The fix adds the missing kvfree() call and has been backported to multiple stable kernel branches [1][2][3][4]. Administrators should update their kernels to include the corresponding commit. No workaround is available besides applying the patch or restricting SMB access.