CVE-2025-22037 is a vulnerability identified in the Linux kernel's ksmbd (Kernel SMB Daemon) component, which handles SMB (Server Message Block) protocol operations. The vulnerability arises from improper handling of malformed SMB2 negotiate requests sent by a client. Specifically, when a client sends a malformed SMB2 negotiate request, ksmbd returns an error response as expected. However, the client can then proceed to send an SMB2 session setup request even though the connection's preauthentication information (conn->preauth_info) has not been allocated. This leads to a null pointer dereference in the alloc_preauth_hash() function, causing a potential denial of service (DoS) by crashing the ksmbd service or the kernel itself. The patch for this vulnerability introduces a new connection status flag, KSMBD_SESS_NEED_SETUP, which ensures that session setup requests are ignored if the SMB2 negotiate phase has not been successfully completed. This prevents the null pointer dereference by enforcing the correct sequence of SMB2 protocol phases. The vulnerability affects Linux kernel versions identified by the commit hash 0626e6641f6b467447c81dd7678a69c66f7746cf and was published on April 16, 2025. No known exploits are reported in the wild at the time of publication, and no CVSS score has been assigned yet.

For European organizations, this vulnerability primarily poses a risk of denial of service on Linux systems running the ksmbd service, which is used to provide SMB file sharing capabilities. Organizations relying on Linux servers for file sharing, particularly those using ksmbd instead of user-space SMB implementations like Samba, could experience service interruptions if targeted by an attacker sending malformed SMB2 negotiate requests. The impact is mainly on availability, as the null pointer dereference can crash the kernel or the ksmbd daemon, leading to potential downtime of critical file sharing services. Confidentiality and integrity impacts are less likely since the vulnerability does not appear to allow code execution or unauthorized data access directly. However, service disruption could affect business operations, especially in sectors with high dependency on file sharing and collaboration services. Given the widespread use of Linux in European data centers, enterprises, and public sector infrastructure, the vulnerability could have a broad impact if exploited at scale. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation attempts.

European organizations should apply the official Linux kernel patch that introduces the KSMBD_SESS_NEED_SETUP status to ensure proper SMB2 session setup sequencing. System administrators must verify that their Linux kernel versions include this fix or upgrade to a patched kernel release. Additionally, organizations should audit their use of ksmbd and consider whether SMB services are exposed to untrusted networks; if so, restricting access via firewall rules or network segmentation can reduce exposure. Monitoring network traffic for malformed SMB2 negotiate requests can help detect attempted exploitation. Implementing kernel crash monitoring and alerting will enable rapid response to any DoS attempts. For environments where ksmbd is not essential, disabling the service can eliminate the attack surface. Finally, maintaining up-to-date intrusion detection systems with signatures for malformed SMB2 traffic will enhance detection capabilities.