Redazione RHC : 16 September 2025 11:37
A security researcher recently developed a zero-click exploit for the Linux SMB3 kernel daemon (ksmbd), exploiting two specific vulnerabilities. This exploit allows remote code execution (RCE) in kernel mode without any user interaction, posing a significant threat to vulnerable systems.
The first bug, identified as CVE-2023-52440, involves a SLUB overflow in the ksmbd_decode_ntlmssp_auth_blob() method. This error occurs during NTLM authentication, when the session key length (sess_key_len) is controlled by the user.
Setting this length too high can overwrite adjacent memory, allowing arbitrary code execution. The exploit was tested on Linux version 6.1.45, with all standard mitigations enabled, such as SMAP, SMEP, KPTI, KASLR, and others.
The second bug, CVE-2023-4130, is an out-of-bounds read (OOB) vulnerability. in the smb2_set_ea() method. This flaw allows an authenticated user to read sensitive data from kernel memory by exploiting the incorrect handling of extended attributes (xattr) in files shared via SMB3. The combination of these two vulnerabilities allows for complete control over the target system.
The developed exploit uses a heap spraying technique to manipulate heap memory, creating favorable conditions for malicious code execution. Once access to kernel memory is gained, a return chain (ROP) is executed to execute a reverse shell, thus gaining remote control of the system. This process occurs without any user interaction, making the attack particularly insidious.
The researcher tested the exploit on a system with a single x86_64 core, but observed that on multi-core systems, the exploit’s reliability decreases due to per-CPU management of memory allocations. Furthermore, the exploit can cause instability on the target system, requiring intervention to restore stability after the attack has been executed.
To mitigate this vulnerability, it is recommended that you update your system to the latest version of the Linux kernel, as versions later than 6.1.45 fixed both vulnerabilities. Furthermore, it is important to properly configure access permissions to SMB shares, limiting write access to authorized users only. Disabling ksmbd’s exposure to the Internet and actively monitoring for suspicious activity can help reduce the risk of exploitation of this vulnerability.
This case highlights the importance of keeping systems up to date and applying security best practices to prevent sophisticated attacks like this. The security research community continues to monitor and analyze these vulnerabilities to improve the protection of computer systems.
Redazione