CVE-2025-71204 · In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak in parse_durable_handle_context() When t

01 · The Real Story

This is a slow air leak in a side-door tire, not a grenade in the engine bay

CVE-2025-71204 is a refcount leak in the Linux kernel's ksmbd SMB server path parse_durable_handle_context(). The bad path is hit when a durable-handle replay operation returns -ENOEXEC and the associated ksmbd_file reference is not released, so repeated triggering can pin kernel objects and degrade availability over time. Upstream affected ranges published by Linux/NVD are 6.6.32 through 6.6.123, 6.9 through 6.12.69, 6.13 through 6.18.9, plus 6.19-rc1 through 6.19-rc3; fixes land in 6.6.124, 6.12.70, 6.18.10, and 6.19.

The vendor/NVD MEDIUM 5.5 baseline is defensible in a lab, but it overstates fleet urgency for most enterprises. Real-world exploitation is narrowed by multiple gates: you need the uncommon ksmbd server rather than ordinary Samba, you need reachable SMB service on TCP/445, you likely need a valid SMB session to drive the replay path, and the outcome is an availability leak rather than direct code execution or privilege escalation. On a 10,000-host estate, this is a targeted file-server hygiene issue, not a broad emergency.

"This is a niche, post-auth, ksmbd-only resource leak—not a patch-everything fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a host actually running ksmbd

The attacker first needs a Linux host exposing the kernel SMB server, not just any SMB service. ksmbd listens on TCP/445 when the server daemon is started, but many enterprises use Samba in userspace instead, so the reachable population is immediately much smaller.

Conditions required:

Target is running the Linux ksmbd SMB server
TCP/445 is reachable from the attacker network position

Where this breaks in practice:

ksmbd is a specific deployment choice, not the default SMB stack in many enterprises
North-south exposure of SMB is uncommon; east-west access is usually segmented

Detection/coverage: Commodity network scanners can find TCP/445, but they generally do not distinguish ksmbd from other SMB servers with high confidence.

STEP 02

Establish an SMB session with a durable-handle-capable workflow

The vulnerable code sits in SMB durable-handle context parsing, so the attacker needs a client capable of driving that protocol path, typically with a custom SMB3 client or a modified framework such as Impacket. In practice this looks more like an authenticated file-server abuse case than anonymous internet exploitation.

Conditions required:

Attacker can authenticate or otherwise reach the durable-handle replay path
Target workflow exercises durable handle context parsing

Where this breaks in practice:

This is not a one-packet crash primitive; it depends on a narrower SMB feature path
Stolen or valid SMB credentials are usually needed in real deployments

Detection/coverage: Protocol-aware SMB telemetry may show unusual create/replay sequences, but most vuln scanners will only flag by kernel version, not by feature-path reachability.

STEP 03

Trigger the -ENOEXEC replay error repeatedly

The attacker sends crafted replay operations so parse_durable_handle_context() hits the error path where the ksmbd_file reference is leaked. A single hit is not the story; the damage comes from repetition and accumulation.

Conditions required:

Replay operation reaches the vulnerable function
The request sequence reliably produces the -ENOEXEC branch

Where this breaks in practice:

Attackers need protocol correctness to keep hitting the same leak path
The impact is incremental resource pressure, not immediate takeover

Detection/coverage: Look for repetitive SMB durable/replay failures, rising ksmbd-related kernel log noise, and unexplained slab growth or stuck refs; signature-based exploit detection is likely weak.

STEP 04

Exhaust resources and degrade the file service

Over time, leaked references can keep objects alive and push the system toward memory pressure, service instability, or eventual denial of service. That matters on production file servers, but it is still a contained availability problem inside one service boundary.

Conditions required:

Attacker can sustain repeated requests long enough to accumulate leaks
Target remains reachable without throttling or operator intervention

Where this breaks in practice:

Rate limits, connection controls, monitoring, and simple service restarts reduce blast radius
The issue does not provide code execution, data theft, or cross-host propagation by itself

Detection/coverage: Host-based monitoring can catch memory pressure, dmesg/journal entries referencing ksmbd, and SMB service instability faster than perimeter tools.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found in the reviewed sources, and not listed in CISA KEV.
Proof-of-concept availability	I found no public PoC or exploit repo specifically for `CVE-2025-71204` in reviewed search results.
EPSS	`0.00017` (~`0.017%`) with a very low percentile; a reviewed Snyk entry showed roughly the 5th percentile, which matches the weak threat signal.
KEV status	CISA KEV: No. There is no known KEV add date or federal due date because it is not cataloged.
CVSS vector	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` → vendor/NVD model this as a post-compromise low-privilege availability issue, not a remote unauthenticated internet bug.
Affected upstream versions	`6.6.32–6.6.123`, `6.9–6.12.69`, `6.13–6.18.9`, and `6.19-rc1` to `6.19-rc3`.
Fixed upstream versions	Upstream fixes land in `6.6.124`, `6.12.70`, `6.18.10`, and `6.19`.
Distro backports	Debian tracks fixes in multiple branches, including `bullseye-security 5.10.257-1`, `bookworm-security 6.1.174-1`, `trixie-security 6.12.90-2`, and `sid 7.0.10-1`.
Exposure/scanning reality	Public internet search engines can find SMB on 445, but I found no authoritative public fingerprint that cleanly isolates `ksmbd`; defenders should rely on internal inventory of `ksmbd` module/service plus `445/tcp` exposure.
Disclosure / source	Published by the Linux CNA on 2026-02-14; NVD analysis was added on 2026-03-18. No individual reporter was named in the reviewed records.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.1/10)

The decisive factor is reachability friction: this only matters on hosts actually running ksmbd, and many enterprise Linux systems do not. Even where present, the bug is a narrow durable-handle replay refcount leak with availability impact, not a broad initial-access or code-execution path.

HIGH Affected version ranges and fixed upstream versions

MEDIUM Practical exploit preconditions in real `ksmbd` deployments

HIGH Downgrade rationale driven by exposure population and blast-radius limits

Why this verdict

Downward pressure: requires ksmbd, not generic Linux. The vulnerable component is the kernel SMB server path, which is a much smaller population than 'all Linux hosts'.
Downward pressure: attacker position is already narrowed. You need network reachability to a ksmbd file server and, in realistic deployments, valid SMB access or equivalent protocol state to drive the replay path.
Downward pressure: impact is availability leakage, not takeover. The patch fixes a leaked reference on an error path; that can hurt service stability, but it does not hand over code execution, privilege escalation, or data exfiltration by itself.

Why not higher?

There is no KEV listing, no reviewed public exploitation evidence, and no public PoC raising attacker reliability. More importantly, the reachable population is constrained twice over: first to hosts that run ksmbd, then to a feature-specific durable-handle replay path with availability-only impact.

Why not lower?

This is still kernel-space code on a file server, so a tenant or user with SMB access can potentially degrade a production service that the business depends on. If you intentionally deploy ksmbd on internal storage or edge appliances, the issue is real enough to fix rather than dismiss.

05 · Compensating Control

What to do — in priority order.

Inventory ksmbd now — Identify hosts with the ksmbd module present, built-in, or loaded, and correlate them with listeners on 445/tcp. For a LOW verdict there is no SLA; treat as backlog hygiene, but you cannot prioritize what you have not inventoried.
Restrict SMB reachability — Limit 445/tcp to approved admin, user, or application subnets so arbitrary east-west access cannot hammer the service. For LOW, there is no SLA; treat as backlog hygiene, but exposed file servers should still be tightened during the next firewall review.
Prefer userspace Samba where feasible — If ksmbd is not a hard requirement, standardize on the better-understood userspace stack and unload/blacklist ksmbd on nonessential hosts. For LOW, there is no SLA; treat as backlog hygiene.
Monitor ksmbd health — Alert on ksmbd-related kernel log entries, sudden memory pressure, and abnormal SMB error/replay patterns so repeated leak attempts show up before the service falls over. For LOW, there is no SLA; treat as backlog hygiene.

What doesn't work

SMB signing does not solve this; a signed but maliciously crafted authenticated request can still drive the vulnerable logic.
EDR alone is weak here; this is kernel request-handling leakage, so you are more likely to see service symptoms than a clean exploit signature.
Version-only scanning is incomplete on distros with backports; it can overcall vulnerable systems unless you validate vendor package fix state.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host as root or with enough privilege to read kernel config, module metadata, and socket state. Save it as check-cve-2025-71204.sh and run sudo bash check-cve-2025-71204.sh; it will print VULNERABLE, PATCHED, or UNKNOWN based on upstream version ranges plus whether ksmbd appears enabled/active.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2025-71204.sh
# Detect likely exposure to CVE-2025-71204 on a Linux host.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

KVER_RAW="$(uname -r)"
KVER="${KVER_RAW%%-*}"
RC_TAG=""
if [[ "$KVER_RAW" =~ -rc([0-9]+) ]]; then
  RC_TAG="rc${BASH_REMATCH[1]}"
fi

have_cmd() { command -v "$1" >/dev/null 2>&1; }

ver_ge() {
  # returns 0 if $1 >= $2
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" == "$1" ]]
}

ver_lt() {
  # returns 0 if $1 < $2
  [[ "$1" != "$2" ]] && [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" == "$1" ]]
}

version_in_range() {
  local v="$1" start="$2" end_excl="$3"
  ver_ge "$v" "$start" && ver_lt "$v" "$end_excl"
}

is_vulnerable_upstream_version() {
  local v="$1"

  # Explicit rc handling for 6.19-rc1..rc3
  if [[ "$v" == "6.19" && -n "$RC_TAG" ]]; then
    case "$RC_TAG" in
      rc1|rc2|rc3) return 0 ;;
    esac
  fi

  version_in_range "$v" "6.6.32" "6.6.124" && return 0
  version_in_range "$v" "6.9" "6.12.70" && return 0
  version_in_range "$v" "6.13" "6.18.10" && return 0

  return 1
}

is_fixed_or_unaffected_upstream_version() {
  local v="$1"

  # Pre-6.6.32 and 6.6.124+/6.12.70+/6.18.10+/6.19+ are upstream-safe by published ranges.
  if ver_lt "$v" "6.6.32"; then
    return 0
  fi

  if ver_ge "$v" "6.19"; then
    # Non-RC 6.19+ considered fixed by upstream record.
    [[ -z "$RC_TAG" ]] && return 0
  fi

  if version_in_range "$v" "6.6.124" "6.9"; then
    return 0
  fi

  if version_in_range "$v" "6.12.70" "6.13"; then
    return 0
  fi

  if version_in_range "$v" "6.18.10" "6.19"; then
    return 0
  fi

  return 1
}

ksmbd_present="no"
ksmbd_loaded="no"
ksmbd_listening="no"
ksmbd_built_in="no"

if lsmod 2>/dev/null | awk '{print $1}' | grep -qx 'ksmbd'; then
  ksmbd_loaded="yes"
fi

if [[ -e /sys/module/ksmbd ]]; then
  ksmbd_present="yes"
fi

if [[ -f "/lib/modules/${KVER_RAW}/modules.builtin" ]] && grep -q '/ksmbd\.ko' "/lib/modules/${KVER_RAW}/modules.builtin"; then
  ksmbd_built_in="yes"
  ksmbd_present="yes"
fi

if [[ -f "/boot/config-${KVER_RAW}" ]] && grep -q '^CONFIG_SMB_SERVER=y' "/boot/config-${KVER_RAW}"; then
  ksmbd_built_in="yes"
  ksmbd_present="yes"
fi

if [[ -f "/boot/config-${KVER_RAW}" ]] && grep -q '^CONFIG_SMB_SERVER=m' "/boot/config-${KVER_RAW}"; then
  ksmbd_present="yes"
fi

if have_cmd ss; then
  if ss -ltnp 2>/dev/null | grep -E 'LISTEN.+:445\b' | grep -qi 'ksmbd\|mountd'; then
    ksmbd_listening="yes"
  fi
fi

# Heuristic note for distro backports
backport_hint="no"
if [[ -f /etc/os-release ]]; then
  . /etc/os-release
  case "${ID:-}:${ID_LIKE:-}" in
    debian:*|ubuntu:*|rhel:*|fedora:*|sles:*|opensuse:*) backport_hint="yes" ;;
  esac
fi

if is_fixed_or_unaffected_upstream_version "$KVER"; then
  echo "PATCHED"
  exit 0
fi

if is_vulnerable_upstream_version "$KVER"; then
  # Strong vulnerable signal only when ksmbd is active/present.
  if [[ "$ksmbd_loaded" == "yes" || "$ksmbd_built_in" == "yes" || "$ksmbd_listening" == "yes" ]]; then
    echo "VULNERABLE"
    exit 1
  fi

  # Kernel version is in-range, but ksmbd does not appear active. Also backports may apply.
  echo "UNKNOWN"
  exit 2
fi

# Anything else is ambiguous: vendor backports, custom kernels, or unparsable versioning.
echo "UNKNOWN"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull a list of systems that actually run ksmbd or listen on 445/tcp, because that is the population that matters. For a LOW verdict there is no noisgate mitigation SLA and effectively no noisgate remediation SLA beyond backlog hygiene; fold this into normal kernel maintenance, prioritize exposed or multi-tenant file servers first, and document why generic Linux endpoints without ksmbd are not urgent.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.