CVE-2025-37947

Published May 20, 2025

Last updated a month ago

CVSS high 7.8

Overview

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This patch adds a check to ensure *pos is less than v_len before proceeding. If the condition fails, -EINVAL is returned.
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Analyzed
Products
linux_kernel, debian_linux

Risk scores

CVSS 3.1

Type
Primary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
CWE-787
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-787

Social media

Hype score
Not currently trending

  1. ksmbd - Exploiting CVE-2025-37947 (3/3) #CVE202537947 #ksmbd #OOBWrite #PrivilegeEscalation #LinuxKernel https://t.co/E4fuSaYTiu

    @reverseame

    2 Feb 2026

    1000 Impressions

    4 Retweets

    7 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  2. ksmbd - Exploiting CVE-2025-37947 (3/3) · Doyensec's Blog https://t.co/22HDfC4fjv

    @Komodosec

    17 Nov 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Top 5 Trending CVEs: 1 - CVE-2021-28550 2 - CVE-2025-33073 3 - CVE-2023-20870 4 - CVE-2025-37947 5 - CVE-2025-22131 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    26 Oct 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ksmbd - Exploiting CVE-2025-37947 Article by @73696e65 about locally exploiting CVE-2025-37947 — a page OOB write in the ksmbd module. Article: https://t.co/V5LBTtOqxY Exploit: https://t.co/knpaTnIO2j https://t.co/jADk5UqFEn

    @linkersec

    24 Oct 2025

    12092 Impressions

    44 Retweets

    184 Likes

    58 Bookmarks

    0 Replies

    2 Quotes

  5. Linux kernel ksmbd モジュールの脆弱性 CVE-2025-37947:ローカル権限昇格と PoC の公開 https://t.co/02xnThNPhy この脆弱性の原因は、ksmbd_vfs_stream_write() における拡張属性 (xattr) 書き込みのサイズ検証不備にあります。割当

    @iototsecnews

    20 Oct 2025

    96 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Exploiting CVE-2025-37947 (Linux kernel's ksmbd) https://t.co/3l5LuiehvQ

    @Karma_X_Inc

    19 Oct 2025

    74 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ksmbd - Exploiting CVE-2025-37947 (3/3) https://t.co/J3XQM6nK4L

    @ytroncal

    12 Oct 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-37947 : Linux kernel's ksmbd LPE Exploiting https://t.co/9BOFXgcoNH https://t.co/Sfw9mCfMrS

    @freedomhack101

    9 Oct 2025

    81 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. #exploit #Kernel_Security Ksmbd Vulnerability Research Part 1 - CVE-2024-50283, CVE-2024-50285, CVE-2024-50286 - https://t.co/zoZsNbjEJK Part 2 - Fuzzing Improvements and Vulnerability Discovery - https://t.co/t1xCLqun8C Part 3 - Exploiting CVE-2025-37947 -

    @ksg93rd

    9 Oct 2025

    2937 Impressions

    10 Retweets

    50 Likes

    23 Bookmarks

    0 Replies

    0 Quotes

  10. csirt_it: ‼ #Linux: disponibile un #PoC per lo sfruttamento combinato della CVE-2025-37947 che interessa relative al modulo #KSMBD Rischio: 🟠 Tipologia: 🔸 Privilege Escalation 🔗 https://t.co/uEP8YyGW7C ⚠ Importante mantenere aggiornati i… https://t.co/A

    @Vulcanux_

    9 Oct 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🔥 Alerta crítico para admins Linux! Uma vulnerabilidade de alta gravidade (CVE-2025-37947) no ksmbd do kernel Linux permite escalada de privilégios para acesso root. Seus sistemas estão em risco! 🚨 Atualize suas distros AGORA. #Linux #CyberSecurity #CVE https://t.co/8Qt

    @fernandokarl

    9 Oct 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. ksmbd - Exploiting CVE-2025-37947 (3/3) https://t.co/AvRjgQT32z https://t.co/dKxpvu7YiR

    @Tinolle1955

    8 Oct 2025

    35 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. ksmbd - Exploiting CVE-2025-37947 (3/3) https://t.co/7I0RV6RcYh

    @Dinosn

    8 Oct 2025

    929 Impressions

    0 Retweets

    1 Like

    3 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses.CVE-2026-23226
  2. MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.CVE-2026-25506
  3. In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential underflow in virtio_transport_get_credit() The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Reuse virtio_transport_has_space() which already handles this case and add a comment to make it clear why we are doing that. [Stefano: use virtio_transport_has_space() instead of duplicating the code] [Stefano: tweak the commit message]CVE-2026-23069
  4. In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call.CVE-2026-23068
  5. In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.CVE-2026-23067

References

Sources include official advisories and independent security research.