CVE-2025-22041: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-22041) was discovered in the Linux kernel's ksmbd component, specifically in the ksmbd_sessions_deregister() function. The vulnerability was disclosed on April 16, 2025, affecting multiple versions of the Linux kernel from 6.2 through 6.14.2 (NVD).

The vulnerability occurs in multichannel mode when the second channel attempts to set up a session through the connection of the first channel. A use-after-free condition arises in session_deregister where a session that is freed through the global session table can be accessed again through the ->sessions of connection. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and is classified as CWE-416 (Use After Free) (NVD).

The vulnerability affects multiple Linux distributions and versions, including Ubuntu releases from 20.04 LTS to 24.04 LTS, and various kernel configurations including aws, azure, gcp, and oracle variants. The high CVSS score indicates potential for significant impact if exploited, with possible consequences for confidentiality, integrity, and availability of affected systems (Ubuntu).

The vulnerability has been fixed in Linux kernel version 6.12.25-1 and patches have been released for affected systems. Multiple patch commits have been made available through the kernel.org repository to address this issue (Debian).