CVE-2025-68786

Root

Cause

The vulnerability resides in the Linux kernel's ksmbd server, specifically in the code that handles lock-range requests. When the requested size equals the current i_size (which can be 0), the function check_lock_range is called with arguments (filp, i_size, size - 1, WRITE). If size is 0, computing size - 1 results in an integer underflow, producing a large positive value instead of -1.[1][2]

Attack

Vector

An attacker can exploit this by issuing a crafted SMB lock request where the lock range size matches the file's i_size, including the case where i_size is 0 (e.g., an empty file). The underflow leads to unexpected behavior in the lock-range validation logic, potentially causing a system crash or hang.

Impact

Successful exploitation can cause denial of service (DoS) on the ksmbd server, disrupting file sharing services for legitimate users. The vulnerability can be triggered remotely without authentication, as SMB lock requests are typically handled during file access.

Mitigation

The fix introduces a check to skip the check_lock_range call when the size equals i_size, preventing the underflow. The patch has been applied to the Linux stable kernel trees. Users should update to the patched kernel version.[1][2]