Skip to main content

Linux Kernel ksmbd CVE-2026-43376

| EUVDEUVD-2026-28682 CRITICAL
Use After Free (CWE-416)
2026-05-08 Linux GHSA-3v8x-c22j-hv4q
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:30 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
CRITICAL 9.8
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free by using call_rcu() for oplock_info

ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side critical sections in places like opinfo_get() and proc_show_files().

Since there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can still access oplock_info structure after it has been freed. This can leads to a use-after-free especially in opinfo_get() where atomic_inc_not_zero() is called on already freed memory.

Fix this by switching to deferred freeing using call_rcu().

AnalysisAI

Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or cause denial of service by racing oplock_info access during concurrent RCU read operations. The vulnerability stems from immediate kfree() without RCU grace period, enabling opinfo_get() to call atomic_inc_not_zero() on freed memory. CVSS 9.8 reflects network exploitability without authentication, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. Vendor patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with fixes referenced in five upstream commits. Not listed in CISA KEV; no public exploit code identified at time of analysis.

Technical ContextAI

The ksmbd server (kernel-mode SMB server introduced in Linux 5.15) uses RCU (Read-Copy-Update) synchronization for oplock_info structures to allow lock-free concurrent reads. RCU requires deferred freeing through call_rcu() to ensure grace period completion before memory reclamation. The vulnerable code path in opinfo_get() performs atomic_inc_not_zero() on reference counts within RCU critical sections, assuming structure validity. Immediate kfree() violates RCU's fundamental invariant that readers can safely dereference pointers obtained before grace period expiry. CPE strings (cpe:2.3:a:linux:linux) indicate Linux kernel packages containing ksmbd module. The bug class resembles classic RCU use-after-free patterns seen in other kernel subsystems, where synchronization primitives are mismatched with memory management strategies. EUVD version data shows affected commit ranges starting from 18b4fac5ef17 and d54ab1520d43, with fixes landed in commits 302fef75512b, 08aa9f3c8cf4, 1d6abf145615, ce8507ee82c8, and 1dfd062caa16 across stable branches.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.130+ for 6.6.x series, 6.12.78+ for 6.12.x series, 6.18.19+ for 6.18.x series, 6.19.9+ for 6.19.x series, or 7.0+ for mainline. Verify patch integration by checking for commits 302fef75512b, 08aa9f3c8cf4, 1d6abf145615, ce8507ee82c8, or 1dfd062caa16 in kernel changelogs available at https://git.kernel.org/stable/. Distribution users should apply security updates through package managers (apt, dnf, zypper) when vendors release patched kernel packages. If immediate patching is unfeasible, disable ksmbd module entirely via 'rmmod ksmbd' and block autoloading with 'echo "install ksmbd /bin/true" > /etc/modprobe.d/disable-ksmbd.conf', then restart. This mitigation eliminates attack surface but breaks SMB server functionality - acceptable for systems not requiring kernel-mode SMB sharing. Alternative: restrict ksmbd network access via firewall rules (block ports 445, 139) to trusted management networks only, reducing exposure to remote attacks while maintaining local functionality. This partial mitigation does not address privilege escalation risk from local authenticated users. Do not rely on ksmbd access controls alone, as race condition occurs before authentication layer.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy