CVE-2025-66002 is a vulnerability classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command), affecting the smb4k mount helper, a KDE project tool used for managing SMB/CIFS network shares on Linux systems. The vulnerability allows local users with limited privileges to inject arbitrary command arguments due to insufficient sanitization of input parameters passed to the mount helper. This argument injection can be exploited to perform unauthorized unmount operations on SMB shares, potentially disrupting access to network resources. The flaw does not require elevated privileges beyond local user access and does not require user interaction, making it relatively straightforward to exploit in environments where multiple users have shell access. The vulnerability was reserved in November 2025 and published in January 2026, with no known exploits currently in the wild. The CVSS 4.0 vector indicates local attack vector (AV:L), low attack complexity (AC:L), no attack prerequisites (AT:N), low privileges required (PR:L), no user interaction (UI:N), and partial impact on confidentiality, integrity, and high impact on availability. The lack of patch links suggests a fix may still be pending or in development. The vulnerability primarily threatens system availability by allowing arbitrary unmounts, which can interrupt critical SMB share access and potentially impact dependent applications or services.

For European organizations, the primary impact of CVE-2025-66002 is the potential disruption of SMB network shares managed via smb4k, which could affect file sharing, collaboration, and access to centralized resources. This is particularly critical in environments where multiple users share the same Linux workstations or servers with smb4k installed. Availability is the most affected security property, as arbitrary unmounts can cause denial of service for users relying on SMB shares. Confidentiality and integrity impacts are limited but not negligible if unmount operations are used as part of a broader attack chain. Organizations in sectors with high reliance on Linux desktop environments or KDE software, such as research institutions, software development firms, and public administrations, may face operational interruptions. The medium severity rating indicates that while the vulnerability is not critical, it still poses a tangible risk that could be exploited by insider threats or malicious local users. The absence of known exploits reduces immediate risk but does not eliminate it, especially as patches are not yet publicly available.

1. Restrict local user permissions to limit who can execute smb4k and its mount helper, ensuring only trusted users have access. 2. Employ Linux security modules (e.g., AppArmor, SELinux) to confine smb4k mount helper execution and prevent unauthorized argument injection. 3. Monitor system logs for unusual unmount commands or smb4k usage patterns indicative of exploitation attempts. 4. Disable or remove smb4k on systems where it is not essential to reduce the attack surface. 5. Once patches or updates are released by KDE, prioritize their deployment across all affected systems. 6. Educate local users about the risks of executing untrusted commands and enforce strict user account management. 7. Consider implementing multi-factor authentication or session restrictions on multi-user systems to reduce the risk of local privilege abuse. 8. Conduct regular audits of SMB share mounts and unmounts to detect anomalies early.