KDE Project Security Advisory: Smb4K: Major security issues in KAuth mount helper

Albert Astals Cid aacid at kde.org
Fri Jan 9 22:11:39 GMT 2026 

KDE Project Security Advisory
=============================

Title:          Smb4K: Major security issues in KAuth mount helper
Risk rating:    Major
CVE:            CVE-2025-66002, CVE-2025-66003
Versions:       Smb4K < 4.0.5
Date:           9 January 2026

Overview
========

The privileged KAuth mount helper of Smb4K runs with full root privileges and 
implements two KAuth actions accessible via D-Bus: mounting and unmounting a 
network share. Both actions are allowed for local users in active sessions 
without authentication, based on the Polkit 'yes' setting.

The unmount action has a faulty mount point validation that might give rise to 
a Denial-of-Service attack. Also, any mounted network share with file systems 
'cifs' or 'smb3' can be unmounted, no matter whether it was mounted by a user 
or the system (via /etc/fstab). Furthermore, arbitrary unmount options can be 
passed which can lead to unwanted behavior. The usage of KMountPoint class 
might lead to race conditions.

The mount action allows mounting shares to any path in the system. So, a share 
could be mounted over a system directory like e.g. '/bin'. Since any mount 
option is allowed by the implementation, potenially harmful combinations like 
'uid=0,file_mode=4755' can be passed. Furthermore, the path to the Kerberos 
ticket is passed in such a way that the ticket of any user on the system can 
be hijacked.


Impact
======

An attacker can exploit the shortcomings in the KAuth mount helper and perform 
arbitrary unmounts due to the lack of several problems in the unmount method. 
Additionally, an attacker, who has got access to and control over the contents 
of a Samba share, can use the mount method of the KAuth mount helper to 
conduct a local root exploit.


Workaround
==========

As long as the a fixed version can not be used, the following measures can be 
applied:

Raise the Polkit authentication requirements for the mount and unmount helper 
actions to 'auth_admin'.

Restrict D-Bus access to the mount helper utility to members of an opt-in 
group like 'smb4k'. Coupled with a security disclaimer, this would allow users 
that really want to use this feature to opt-in.


Solution
========

Update Smb4K to version 4.0.5 or later.


Credits
=======

Thanks to Matthias Gerstner and the SUSE security team for reporting this 
issue.

https://kde.org/info/security/advisory-20260109-1.txt

More information about the kde-announce mailing list