The Debian security team opened 2026 on 1 January with advisory DSA-6092-1, which fixes two vulnerabilities in smb4k. Smb4K is a well-known KDE desktop utility that lets unprivileged users discover and mount Samba/CIFS network shares from the graphical environment, without editing /etc/fstab by hand or running mount as root.
What the vulnerabilities are
The advisory bundles two identifiers: CVE-2025-66002 and CVE-2025-66003. According to Debian’s description, both flaws relate to the improper handling of unprivileged mounting of Samba/CIFS network shares, and together they can lead to two types of impact:
- Local denial of service: a local user could crash or hang the affected component.
- Local privilege escalation: more seriously, an unprivileged system user could end up gaining higher permissions than they should have.
The problem lives in the mechanism that makes “unprivileged” mounting possible. Mounting a network filesystem needs root capability, so smb4k relies on a helper component with elevated privileges. When that helper fails to validate the input it gets from the user, a local attacker can manipulate the mount operation and perform actions with privileges they should not have.
Who is affected
This hits Debian systems that have the smb4k package installed, mainly KDE Plasma desktop machines where the tool is used to reach network shares. Worth stressing: this is not a remotely exploitable flaw. The attacker already needs local access, an unprivileged account on the machine. Even so, on multi-user or shared systems a local privilege escalation is a serious risk, because it turns limited access into full control of the system.
If your machine does not have smb4k installed, this particular advisory does not affect you.
Severity
Debian does not assign a detailed public CVSS score in this advisory, and the incident is rated medium severity: there is no evidence of active exploitation or a remote vector, but the chance of escalating privileges locally is reason enough to apply the update without delay, especially on multi-user systems.
Mitigation and patch
The fix is straightforward: update the smb4k package. For the stable distribution (trixie, Debian 13) the problem has been fixed in version 4.0.0-1+deb13u1. Just apply the usual security updates:
sudo apt update
sudo apt upgrade smb4kOr update the whole system with sudo apt full-upgrade. As a general habit, keep Debian’s automatic security updates enabled so you get these fixes as soon as they ship.
You can find more resources about Debian and access control in our Debian guide.
Source
- Debian security advisory: DSA-6092-1 smb4k
- Vulnerability detail: CVE-2025-66002 — NVD