[CVE-2025-38501] Linux kernel: KSMBD service DoS by TCP handshake

[tianshuo han <hantianshuo233 () gmail com>]

Hello,

A security vulnerability in the Linux kernel KSMBD subsystem has been
assigned CVE-2025-38501. This issue allows a remote attacker to exhaust
the KSMBD server's TCP connection limit and prevent other normal client
connections.

Details:
- CVE: CVE-2025-38501
- Subsystem: KSMBD
- Impact: Remote Denial of Service (exhaust KSMBD server's max
connections)
- Affected versions: Since KSMBD merged into kernel main line in 5.15
- Fixed in: Upstream commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3

Description:
A remote attacker can exhaust a KSMBD server’s maximum connection
limit by performing a TCP 3-way handshake and then not responding to
further packets. By default, the KSMBD server will hold such
connections indefinitely, allowing an attacker to consume all available
connections. While a timeout can be configured in the user-space
configuration file (with a minimum of 1 minute), an attacker from a
single IP address can still cause a DoS to the SMB service by
repeatedly initiating such connections.

Reproducer:
A public proof-of-concept (PoC) is available at:
https://github.com/keymaker-arch/KSMBDrain

Timeline:
- Reported to Linux kernel community: 2025-08-01
- Patch merged upstream: 2025-08-08
- CVE assigned and public: 2025-08-18

Best regards,
Tianshuo Han