Proof-of-Concept exploit for KSMBDrain (CVE-2025-38501). It can remotely exhaust the KSMBD server's connection limit.
A remote attacker can exhaust a KSMBD server’s maximum connection limit by performing a TCP 3-way handshake and then not responding to further packets. By default, the KSMBD server will hold such connections indefinitely, allowing an attacker to consume all available connections. While a timeout can be configured in the user-space configuration file (with a minimum of 1 minute), an attacker from a single IP address can still cause a DoS to the SMB service by repeatedly initiating such connections.
- introduced in: kernel 5.3, since KSMBD merged into mainline
- fixed in: commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3
- start the vulnerable KSMBD server, make sure the network connection to the victim is working
- change the target IP in
poc.pyas needed, then run the script
I would like to thank @FFreestanding in helping reproducing the bug and developing the PoC.
This proof-of-concept (PoC) code is provided for educational and research purposes only.
Use this code responsibly and only on systems you own or have explicit permission to test.
The authors and contributors are not responsible for any misuse or damage caused by this code.