Apple has addressed three critical vulnerabilities in the macOS SMBClient, the core component used for mounting remote file shares via the SMB protocol, a system widely adopted since macOS Big Sur. These flaws pose serious security risks as they could allow remote attackers to execute arbitrary code, crash systems, and escalate privileges. Two of the vulnerabilities have been assigned CVE identifiers CVE-2025-24269 and CVE-2025-24235, while the third remains unassigned but equally severe. Security researchers have been credited with identifying the flaws.

The most severe of the three, CVE-2025-24269, is a remote kernel heap overflow in the smb2_rq_decompress_read function of the smbfs.kext kernel extension. It arises from insufficient validation of the compress_len parameter when processing chained SMB2 compression algorithms (LZNT1, LZ77, LZ77+HUFFMAN). Due to this, attackers can exploit a vulnerable memory copy operation and gain precise control over corrupted heap memory in the kernel's xnu data heap. The heap overflow allows remote code execution with kernel-level privileges. Apple has patched this by adding strict input validation before memory operations.

The second flaw, CVE-2025-24235, affects the Kerberos Helper used in SMB authentication. It stems from uninitialized memory in the _KRBDecodeNegTokenInit function, where a NegotiationToken union is referenced before proper initialization. If the gss_decapsulate_token function fails, the code skips initialization and tries to free garbage data through the _asn1_free() function, which can result in memory corruption and potential code execution. The issue has been resolved with secure memory initialization using memset() to prevent parsing of untrusted data.

The third vulnerability is a local privilege escalation issue involving the SMBIOC_UPDATE_NOTIFIER_PID ioctl interface. It lacks permission checks, allowing unprivileged users to register arbitrary process IDs for SMB notifications. Upon unmounting an SMB volume, the kernel signals the registered PID, regardless of the caller's privileges. This enables any user to send termination signals (SIGTERM) to critical system processes, like launchd, causing full system crashes. Apple mitigated this by enforcing entitlement-based access controls to limit who can register for notifications.

To defend against these threats, users are urged to apply the latest macOS updates immediately. Organizations with heavy SMB usage should disable SMB services if not necessary, conduct regular audits, and apply the principle of least privilege to SMB configurations. These mitigations significantly reduce the remote attack surface and prevent exploitation of unpatched or misconfigured systems.