HIGH
smb/server RpcSession Leak
CVE-2025-71220
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().
02KernelScan AI Analysis
Risk summary
SMB clients can cause resource exhaustion by triggering RPC session leaks in the ksmbd server. Repeated exploitation can lead to denial of service by consuming all available RPC sessions. This affects systems running ksmbd SMB server with network-accessible SMB shares.
Vulnerability analysis
The vulnerability exists in the create_smb2_pipe() function where RPC sessions opened for named pipe operations are not properly cleaned up when ksmbd_iov_pin_rsp() fails. The original code would return immediately on this error without calling ksmbd_session_rpc_close(), causing RPC sessions to leak. The fix initializes the session ID to -1 and adds proper cleanup logic to close RPC sessions on error paths. This is reachable from network via SMB protocol and requires only SMB client authentication.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.200 | a2c68e256fb7 |
| 6.1 | 6.1.163 | 2b7b4df87fe6 |
| 6.12 | 6.12.70 | ac18761b530b |
| 6.18 | 6.18.10 | fdda836fcee6 |
| 6.6 | 6.6.124 | 04dd114b682a |
| mainline | 6.19 | 7c28f8eef5ac |