FERRAMENTAS LINUX: Urgent: Ubuntu 24.04 LTS Kernel Update Patches Critical SMB Vulnerabilities (USN-8059-5)

quarta-feira, 25 de fevereiro de 2026

Urgent: Ubuntu 24.04 LTS Kernel Update Patches Critical SMB Vulnerabilities (USN-8059-5)

 



A critical Ubuntu 24.04 LTS kernel update (USN-8059-5) patches high-severity SMB vulnerabilities CVE-2025-22037 and CVE-2025-37899. Discover the technical impact of these use-after-free and NULL pointer dereference flaws, official FIPS-compliant patch instructions, and essential mitigation steps for Ubuntu Pro users to secure enterprise infrastructure against remote exploitation. Upgrade now.

Why This Ubuntu Security Update Demands Immediate Action

Is your Ubuntu 24.04 LTS infrastructure exposed to remote code execution attacks through its SMB implementation? A new critical security advisory, USN-8059-5, confirms that several high-profile vulnerabilities have been patched in the Linux kernel for FIPS-enabled Ubuntu systems. 

For system administrators and security professionals managing compliance-driven environments, understanding the technical depth of these flaws—and the urgency of the remediation—is non-negotiable.

This latest update specifically targets the ksmbd kernel space SMB server, addressing vulnerabilities that could allow an attacker to compromise system integrity remotely. Given the widespread deployment of Ubuntu 24.04 LTS in cloud environments like Google Cloud Platform (GCP) and Amazon Web Services (AWS), the attack surface is significant 

This analysis breaks down the technical details, the patched CVEs, and the exact steps required to harden your kernel against active threats.

The Anatomy of the Threat: Dissecting CVE-2025-37899 and CVE-2025-22037

The USN-8059-5 advisory rectifies flaws within the SMB network file system subsystem, specifically in the ksmbd server implementation. These are not theoretical risks; they are exploitable vulnerabilities with a tangible potential for business disruption .

1. CVE-2025-37899: The Use-After-Free Remote Execution Vector

Severity: High (CVSS 3.1 Score: 7.8)
This vulnerability resides in the smb2_session_logoff() function within fs/smb/server/smb2pdu.c .

  • Technical Mechanism: The flaw allows a use-after-free error. When a session logoff is initiated, the sess->user object can still be referenced by another thread handling a session setup request. An authenticated remote attacker can send specially crafted data during this race condition window, leading to arbitrary code execution in kernel context .

  • Exploitation Vector: Remote. An attacker does not need physical access but does require network access to the SMB port.

2. CVE-2025-22037: The NULL Pointer Dereference DoS Vector

This vulnerability affects multiple functions, including alloc_preauth_hash() and smb2_sess_setup() .

  • Technical Mechanism: If a client sends a malformed SMB2 negotiate request, the server errors out correctly, but the conn->preauth_info structure remains unallocated. If the client subsequently sends a session setup request without completing the negotiate phase, the kernel attempts to dereference a NULL pointer .

  • Impact: While classified primarily as a Denial of Service (DoS) , a local user can exploit this to crash the system, leading to downtime for critical services .

The "Ubuntu Pro" Requirement

A critical detail often overlooked in casual summaries is the availability constraint. The patched packages (e.g., linux-image-6.8.0-101-fipslinux-image-6.8.0-1048-gcp-fips) are explicitly marked as "Available with Ubuntu Pro." .

  • Enterprise Context: If you are running standard Ubuntu 24.04 LTS without an Ubuntu Pro subscription, these specific FIPS-compliant images are not accessible via the default repositories. This is a crucial compliance checkpoint for FedRAMP, PCI-DSS, and HIPAA environments.

The ABI Change Warning

The update introduces an unavoidable Application Binary Interface (ABI) change.

  • Operational Impact: Third-party kernel modules (e.g., proprietary drivers, specialized hardware modules) compiled against the old kernel will fail to load.

  • Remediation: Administrators must recompile and reinstall all out-of-tree modules. Standard system upgrades will handle this automatically unless the kernel metapackages were manually removed.

Official Patch Instructions and Mitigation Strategies

To secure your Ubuntu 24.04 LTS systems, immediate action is required. Follow this structured approach based on the official Canonical advisory .

For FIPS-Enabled Environments (GCP, AWS, On-Prem)

Update the specific FIPS kernel images. These are essential for environments requiring cryptographic compliance.

Ubuntu 24.04 LTS (FIPS Updates):

bash
# Update package lists and upgrade FIPS kernels
sudo apt update
sudo apt install linux-image-6.8.0-101-fips linux-image-6.8.0-1048-gcp-fips

  • Standard FIPS Image: 6.8.0-101.101+fips1

  • Google Cloud Platform (GCP) FIPS: 6.8.0-1048.51+fips1

  • AWS FIPS (Referenced in related advisories): 6.8.0-1044.46+fips1 

Immediate Mitigation (If Patching is Delayed)

If you cannot immediately reboot into the patched kernel, consider disabling the ksmbd module entirely as a temporary workaround for CVE-2025-37899 :

bash
# Blacklist the ksmbd module
echo -e "blacklist ksmbd\ninstall ksmbd /bin/true" | sudo tee /etc/modprobe.d/ksmbd-blacklist.conf

# Update the initial ramfs
sudo update-initramfs -u

Note: This disables the SMB server functionality. Ensure this aligns with your business continuity requirements.

Post-Update Procedure

After installing the new kernel, a system reboot is mandatory to load the patched version.

bash
# Reboot the system
sudo reboot

# Verify the new kernel is running
uname -r
# Expected output: 6.8.0-101-fips or 6.8.0-1048-gcp-fips

Frequently Asked Questions (FAQ)

Q: Is Ubuntu 20.04 LTS affected by these specific CVEs?

A: While USN-8059-5 targets 24.04, related SMB vulnerabilities (CVE-2025-37797, etc.) have been patched in Ubuntu 20.04 LTS FIPS kernels via advisories like USN-7701-2 . Administrators on older LTS releases should verify they are on the latest FIPS kernel images available through Ubuntu Pro.

Q:: Do I need an Ubuntu Pro subscription to get this fix?

A: Yes, for the FIPS images. The specific package versions listed in USN-8059-5 require an Ubuntu Pro subscription. However, the generic Linux kernel (linux-image-generic) may receive backports for these CVEs through the standard Ubuntu security repository. Verify your specific kernel flavor.

Q: Can these vulnerabilities be exploited over the internet?

A: CVE-2025-37899 has a remote attack vector. If your SMB server (ksmbd) is exposed to the internet or an untrusted network, it is potentially exploitable. It is a best practice to restrict SMB traffic to trusted internal networks and utilize VPNs for remote access.

Conclusion: Reinforcing Your Linux Security Posture

The disclosure of USN-8059-5 serves as a critical reminder of the fragility inherent in complex network subsystems like SMB. For organizations leveraging Ubuntu 24.04 LTS—particularly in FIPS-compliant modes on GCP or AWS—delaying this patch exposes the infrastructure to "high" severity risks ranging from service denial to full system compromise.

Action: 

Audit your current kernel version immediately. If you are running a FIPS kernel, ensure your Ubuntu Pro subscription is active and deploy the linux-image-6.8.0-101-fips update today. For non-FIPS environments, verify that the standard security updates have been applied and plan for a maintenance window to reboot.

Cezar Henrique at
Marcadores: Linux, Android, Segurança

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)