CVE-2025-40090
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-30

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix recursive locking in RPC handle list access Since commit 305853cce3794 ("ksmbd: Fix race condition in RPC handle list access"), ksmbd_session_rpc_method() attempts to lock sess->rpc_lock. This causes hung connections / tasks when a client attempts to open a named pipe. Using Samba's rpcclient tool: $ rpcclient //192.168.1.254 -U user%password $ rpcclient $> srvinfo <connection hung here> Kernel side: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:0 state:D stack:0 pid:5021 tgid:5021 ppid:2 flags:0x00200000 Workqueue: ksmbd-io handle_ksmbd_work Call trace: __schedule from schedule+0x3c/0x58 schedule from schedule_preempt_disabled+0xc/0x10 schedule_preempt_disabled from rwsem_down_read_slowpath+0x1b0/0x1d8 rwsem_down_read_slowpath from down_read+0x28/0x30 down_read from ksmbd_session_rpc_method+0x18/0x3c ksmbd_session_rpc_method from ksmbd_rpc_open+0x34/0x68 ksmbd_rpc_open from ksmbd_session_rpc_open+0x194/0x228 ksmbd_session_rpc_open from create_smb2_pipe+0x8c/0x2c8 create_smb2_pipe from smb2_open+0x10c/0x27ac smb2_open from handle_ksmbd_work+0x238/0x3dc handle_ksmbd_work from process_scheduled_works+0x160/0x25c process_scheduled_works from worker_thread+0x16c/0x1e8 worker_thread from kthread+0xa8/0xb8 kthread from ret_from_fork+0x14/0x38 Exception stack(0x8529ffb0 to 0x8529fff8) The task deadlocks because the lock is already held: ksmbd_session_rpc_open down_write(&sess->rpc_lock) ksmbd_rpc_open ksmbd_session_rpc_method down_read(&sess->rpc_lock) <-- deadlock Adjust ksmbd_session_rpc_method() callers to take the lock when necessary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-30
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2025-10-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40090
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.18
linux linux_kernel From 6.12.53 (inc) to 6.12.55 (exc)
linux linux_kernel From 6.17.3 (inc) to 6.17.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a deadlock issue in the Linux kernel's ksmbd component. Specifically, ksmbd_session_rpc_method() tries to acquire a read lock on sess->rpc_lock while the same lock is already held for writing by ksmbd_session_rpc_open, causing recursive locking and resulting in hung connections or tasks when a client attempts to open a named pipe via Samba's rpcclient tool.


How can this vulnerability impact me? :

The vulnerability can cause hung connections or tasks on the system when clients try to open named pipes using Samba's rpcclient. This leads to deadlocks in the kernel, potentially causing service disruptions or degraded performance in environments relying on ksmbd for SMB protocol handling.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing hung connections or tasks when a client attempts to open a named pipe using Samba's rpcclient tool. For example, running the command: $ rpcclient //192.168.1.254 -U user%password $ rpcclient $> srvinfo will cause the connection to hang if the vulnerability is present. On the kernel side, hung tasks related to ksmbd workqueue can be identified in kernel logs, showing stack traces involving ksmbd_session_rpc_method and related functions.


What immediate steps should I take to mitigate this vulnerability?

An immediate mitigation step is to disable the kernel hung task timeout message by running: echo 0 > /proc/sys/kernel/hung_task_timeout_secs This prevents the hung task message but does not fix the underlying deadlock. The proper fix involves adjusting ksmbd_session_rpc_method() callers to take the lock when necessary, which requires applying the relevant kernel patch or update.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart