Cyber Resilience

CVE-2025-68817

High

Published: 13 January 2026

Published
13 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68817 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-68817 is a use-after-free vulnerability in the Linux kernel's ksmbd module, which implements the SMB server functionality. The issue occurs in the ksmbd_tree_connect_put function under high concurrency conditions, where a tree-connection object (tcon) is freed along a disconnect path while another concurrent path retains a reference to it. This leads to a use-after-free when the holding path later performs *_put() or write operations on the freed object. The vulnerability is classified under CWE-416 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Under concurrent access scenarios, such as those involving multiple SMB connections, the attacker can trigger the race condition to access or manipulate the freed tcon object, potentially resulting in high-impact confidentiality, integrity, and availability violations, including arbitrary code execution, data corruption, or denial of service.

Mitigation is available through kernel patches merged into stable branches, as documented in the following commit references: https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21, https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea, https://git.kernel.org/stable/c/446beed646b2e426dd53d27358365f8678e1dd01, https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926, and https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a. Security practitioners should update affected Linux kernels to incorporate these fixes, particularly on systems exposing ksmbd for SMB sharing.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes…

more

*_put()/write on it.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in ksmbd enables direct exploitation for privilege escalation to achieve arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.6 · 5.15.145 — 5.15.199 · 6.1.71 — 6.1.160 · 6.6.1 — 6.6.120

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in ksmbd_tree_connect_put by applying the specific kernel patches referenced in the analysis.

prevent

Provides memory protection safeguards such as ASLR, KASLR, SMEP, and SMAP that mitigate exploitation of the use-after-free on the tcon object.

prevent

Limits system to least functionality by disabling the ksmbd module if not essential, preventing exposure to the concurrency-induced race condition.

References