CVE-2025-22037: 
Linux Debian vulnerability analysis and mitigation

A vulnerability in the Linux kernel's ksmbd module was discovered and assigned CVE-2025-22037. The issue was disclosed on April 16, 2025, affecting the Linux kernel's SMB server implementation. The vulnerability involves a null pointer dereference in the allocpreauthhash() function (NVD Database, Ubuntu Security).

The vulnerability occurs when a client sends a malformed SMB2 negotiate request, causing ksmbd to return an error response. Subsequently, the client can send an SMB2 session setup even though conn->preauthinfo is not allocated, leading to a null pointer dereference. The fix implements a KSMBDSESSNEEDSETUP status of connection to ignore session setup requests if the SMB2 negotiate phase is not complete (NVD Database).

The vulnerability affects multiple Linux distributions including Ubuntu, Debian, and their derivatives. Various versions of the Linux kernel are impacted, including systems running Ubuntu 24.04 LTS, 22.04 LTS, and 20.04 LTS, as well as Debian Bookworm and Bullseye releases (Ubuntu Security, Debian Security).

The vulnerability has been fixed in Linux kernel version 6.12.25-1 for Debian systems. Various Linux distributions are actively working on backporting the fix to their supported releases. Ubuntu has marked this as a medium priority issue and is working on updates for affected versions (Debian Security, Ubuntu Security).