CVE-2025-68817
Published: 13 January 2026
Summary
CVE-2025-68817 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-68817 is a use-after-free vulnerability in the Linux kernel's ksmbd module, which implements the SMB server functionality. The issue occurs in the ksmbd_tree_connect_put function under high concurrency conditions, where a tree-connection object (tcon) is freed along a disconnect path while another concurrent path retains a reference to it. This leads to a use-after-free when the holding path later performs *_put() or write operations on the freed object. The vulnerability is classified under CWE-416 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Under concurrent access scenarios, such as those involving multiple SMB connections, the attacker can trigger the race condition to access or manipulate the freed tcon object, potentially resulting in high-impact confidentiality, integrity, and availability violations, including arbitrary code execution, data corruption, or denial of service.
Mitigation is available through kernel patches merged into stable branches, as documented in the following commit references: https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21, https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea, https://git.kernel.org/stable/c/446beed646b2e426dd53d27358365f8678e1dd01, https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926, and https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a. Security practitioners should update affected Linux kernels to incorporate these fixes, particularly on systems exposing ksmbd for SMB sharing.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2302
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes…
more
*_put()/write on it.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in ksmbd enables direct exploitation for privilege escalation to achieve arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability in ksmbd_tree_connect_put by applying the specific kernel patches referenced in the analysis.
Provides memory protection safeguards such as ASLR, KASLR, SMEP, and SMAP that mitigate exploitation of the use-after-free on the tcon object.
Limits system to least functionality by disabling the ksmbd module if not essential, preventing exposure to the concurrency-induced race condition.