KDE Project Security Advisory ============================= Title: Smb4K: Major security issues in KAuth mount helper Risk rating: Major CVE: CVE-2025-66002, CVE-2025-66003 Versions: Smb4K < 4.0.5 Date: 9 January 2026 Overview ======== The privileged KAuth mount helper of Smb4K runs with full root privileges and implements two KAuth actions accessible via D-Bus: mounting and unmounting a network share. Both actions are allowed for local users in active sessions without authentication, based on the Polkit 'yes' setting. The unmount action has a faulty mount point validation that might give rise to a Denial-of-Service attack. Also, any mounted network share with file systems 'cifs' or 'smb3' can be unmounted, no matter whether it was mounted by a user or the system (via /etc/fstab). Furthermore, arbitrary unmount options can be passed which can lead to unwanted behavior. The usage of KMountPoint class might lead to race conditions. The mount action allows mounting shares to any path in the system. So, a share could be mounted over a system directory like e.g. '/bin'. Since any mount option is allowed by the implementation, potenially harmful combinations like 'uid=0,file_mode=4755' can be passed. Furthermore, the path to the Kerberos ticket is passed in such a way that the ticket of any user on the system can be hijacked. Impact ====== An attacker can exploit the shortcomings in the KAuth mount helper and perform arbitrary unmounts due to the lack of several problems in the unmount method. Additionally, an attacker, who has got access to and control over the contents of a Samba share, can use the mount method of the KAuth mount helper to conduct a local root exploit. Workaround ========== As long as the a fixed version can not be used, the following measures can be applied: Raise the Polkit authentication requirements for the mount and unmount helper actions to 'auth_admin'. Restrict D-Bus access to the mount helper utility to members of an opt-in group like 'smb4k'. Coupled with a security disclaimer, this would allow users that really want to use this feature to opt-in. Solution ======== Update Smb4K to version 4.0.5 or later. Credits ======= Thanks to Matthias Gerstner and the SUSE security team for reporting this issue.