From Regular User to Root in Seconds: Critical Linux Flaw Renders All Defenses Worthless
Hackers only need a regular password to gain absolute control over the system.
Hackers only need a regular password to gain absolute control over the system.
Researcher Nicholas Zubriski from Trend Research has reported a critical flaw in the ksmbd component of the Linux kernel, which allows attackers to remotely execute arbitrary code with maximum system privileges. The vulnerability has been assigned the identifier CVE-2025-38561 and affects all distributions that use the built-in ksmbd-based SMB server.
The flaw is related to the processing of the Preauth_HashValue field during SMB2 session establishment. The developers made an error in thread synchronization: a missing memory access lock created a race condition where multiple processes could simultaneously modify the same object. This resulted in memory corruption and a change in execution flow, opening the path to executing arbitrary code in kernel space.
While exploitation requires valid user credentials, this does not lessen the severity of the risk. Many organizations provide access to SMB services on internal and external networks, meaning credentials could be stolen or reused. A successful attack grants complete control over the system, including the ability to stealthily install malware and take infrastructure offline.
The vulnerability was reported privately on July 22, 2025, and public disclosure occurred on September 24 following the publication of coordinated recommendations. The issue received a CVSS score of 8.5, reflecting the network-based attack vector, low required privilege level, and no need for user interaction.
A fix has already been included in the latest versions of the Linux kernel: correct locking mechanisms have been added to prevent the race condition when handling Preauth_HashValue. Administrators are advised to:
- Identify nodes using vulnerable kernel versions.
- Immediately install the latest updates from the stable branch or distribution vendors.
- Reboot machines to activate the patches.
- Review access rules for SMB services and restrict them through network segmentation if necessary.
Nicholas Zubriski has already received recognition for the responsible disclosure of the vulnerability, and the Linux community emphasizes that timely action by administrators is critical for protecting corporate environments and storage servers.