0-Click Linux Kernel KSMBD Vulnerability Enables Remote Code Execution via N-Day Exploit

A recent vulnerability in the Linux Kernel’s KSMBD module allows an attacker to execute arbitrary code on a target system without any user interaction.

KSMBD is a kernel-space SMB3 server that handles network file sharing. Researchers demonstrated a stable exploit against KSMBD in Linux 6.1.45, achieving remote code execution (RCE) with a success rate above 95 percent.

The exploit leverages two known CVEs patched by the Zero Day Initiative in early 2024 and late 2023.

In the first stage, an unauthenticated heap overflow (CVE-2023-52440) occurs during NTLM authentication.

By crafting an oversized session key blob in an SMB2_SESSION_SETUP message, the exploit forces a controlled SLUB overflow in a kmalloc-512 allocation.

This overflow serves as a “writeheap” primitive, letting the attacker corrupt adjacent kernel memory without authentication.

A second authenticated bug (CVE-2023-4130) in the Extended Attributes (EA) parser then provides an out-of-bounds read primitive. By crafting a malicious EA buffer, the attacker leaks arbitrary heap contents through xattr metadata, equivalent to a “writeleak” primitive.

Heap Layout Abuse and KASLR Bypass

Combining these primitives enables a full chain. The leak reveals kernel pointers and bypasses KASLR by reading pointers from a kmalloc-1k slab that holds KSMBD connection objects.

Researchers spray kernel objects by opening multiple SMB connections and sessions, then repeatedly trigger the overflow until one connection is corrupted. They use a guided spray-and-check loop to reliably locate the overflow victim and leaked pointers.

With KASLR bypass, the attacker builds kernel ROP gadgets to hijack the session’s local_nls pointer.

An arbitrary free primitive causes one session’s heap chunk to overlap with a connection object, enabling overwrite of function pointers in kmalloc-1k.

Finally, a carefully crafted SMB request allocates a large chunk containing a ROP chain. This chain pivots the stack into controlled memory, sets up arguments, and calls call_usermodehelper to launch a user-mode reverse shell.

A sleep gadget holds the kernel thread alive, preventing system crash. KSMBD is often disabled in production, limiting widespread impact.

However, any system running an outdated 6.1.x kernel with KSMBD enabled and exposed to untrusted networks is vulnerable.

System administrators should upgrade to kernel 6.1.46 or later, where both CVEs are backported and patched.

Enabling standard hardening options (SMEP, SMAP, KPTI, random slab freelist) reduces exploit reliability but does not eliminate the threat entirely.

This N-Day exploit highlights risks of running complex services in kernel space. While KSMBD offers performance benefits, it expands the attack surface for remote code execution.

Administrators should prefer user-space SMB servers unless kernel-level performance is essential, and ensure timely patching of security updates.

Continuous monitoring for unusual SMB traffic and disabling anonymous write access further mitigates risk. Continuous review of kernel modules and cautious deployment of new services remain critical to maintaining system security.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.