macOS SMBClient Flaw Enables Remote Code Execution and Kernel Crashes
A critical vulnerability has been discovered in Apple’s macOS SMBClient, exposing millions of users to the risk of remote code execution (RCE) and potentially catastrophic kernel crashes.
Tracked as CVE-2025-24269, this flaw is rated with a CVSS score of 9.8, marking it as one of the most severe security issues to affect the macOS platform in recent years.
Vulnerability Overview
According to the recent report, the vulnerability resides in the smbfs.kext kernel extension, specifically in the smb2_rq_decompress_read function.
Here, the SMBClient code fails to properly validate a length value (compress_len) received from the network before copying memory.
| CVE ID | Description | CVSS Score | Impact | Patched Version |
| CVE-2025-24269 | Kernel heap overflow in smb2_rq_decompress_read allows remote code execution and system crashes via malicious SMB traffic | 9.8 | RCE, DoS, Priv. Escalation | macOS Sequoia 15.4 |
When handling SMB2 compression (including LZNT1, LZ77, and LZ77_HUFFMAN algorithms), an attacker can craft a malicious SMB packet that triggers a heap overflow in kernel memory.
This flaw arises because the code copies data into a preallocated buffer without ensuring the length is within safe bounds.
An attacker exploiting this vulnerability could:
- Achieve remote code execution in the kernel context, gaining full control over the affected system.
- Cause immediate kernel crashes, resulting in denial of service.
- Escalate privileges from a non-privileged user to kernel-level access.
The issue affects all recent versions of macOS, including Sequoia, Monterey, Big Sur, and Mojave, and is exploitable over a network without requiring user authentication or interaction.
- Remote Attack: A malicious actor can deliver a specially crafted SMB URL via messaging apps, email, or web browsers. If a user clicks the link, the exploit is triggered.
- Man-in-the-Middle: Attackers on the same network can intercept and modify SMB traffic to deliver the exploit.
- Local Privilege Escalation: A local user can exploit the flaw to escalate privileges to kernel level.
Apple has addressed this vulnerability in macOS Sequoia 15.4 and other supported versions by adding proper validation for the affected memory operations.
Users are strongly advised to update their systems immediately. Organizations should also monitor SMB network activity and segment networks to limit exposure.
The flaw is triggered when the SMBClient kernel extension processes compressed SMB2 data. The attacker controls the length of data copied into a kernel buffer, leading to a heap overflow.
Although some kernel heap hardening exists, attackers can still manipulate memory in ways that could bypass mitigations and execute arbitrary code.
CVE-2025-24269 represents a significant security threat to macOS users worldwide.
The combination of remote exploitability, kernel-level impact, and ease of attack underscores the urgency of applying available patches and reviewing SMB network configurations.