Skip to main content

Linux Kernel CVE-2026-45972

| EUVDEUVD-2026-32256 CRITICAL
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6w7x-q46j-6x9r
9.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
CVE Published
Jun 22, 2026 - 06:03 cve.org
CRITICAL 9.8
Analysis Generated
May 30, 2026 - 11:32 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
9.8 (CRITICAL)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential UAF and double free in smb2_open_file()

Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free.

AnalysisAI

Use-after-free and double-free conditions in the Linux kernel's SMB client (smb2_open_file) can be triggered when SMB2_open() retry paths fail to zero out err_iov and err_buftype buffers, leading to memory corruption. The flaw affects multiple stable kernel branches (6.1, 6.6, 6.12, 6.18) and is fixed in upstream patches; no public exploit identified at time of analysis and EPSS is very low (0.02%) despite the 9.8 CVSS score.

Technical ContextAI

The vulnerability resides in fs/smb/client/ within the cifs/SMB2 client implementation, specifically in smb2_open_file() which handles file open operations over the SMB2/3 protocol. When the function retries SMB2_open() after an initial failure, stale values in the err_iov (iovec) and err_buftype response buffers are reused - if a caller passes a non-NULL data pointer, the previously freed iov can be referenced again (use-after-free), and if not, the same buffer pointer is freed twice (double-free). The root cause class is CWE-416 (Use After Free) / CWE-415 (Double Free), classic memory-safety bugs in retry/cleanup paths where state is not reset between attempts. CPE data is not yet available, but EUVD listings name the affected commit ranges across kernel branches.

RemediationAI

Vendor-released patch: upgrade to Linux 6.1.165, 6.6.128, 6.12.75, 6.18.14, or 6.19.4 (or later) depending on the branch in use, applying the stable commits referenced at git.kernel.org/stable/c/4d339b219004869e96c4ce56b8891f83a38da4c0 and the related sibling commits listed above. If patching is not immediately feasible on hosts that mount remote SMB shares, restrict outbound SMB (TCP 445, 139) to known, trusted file servers via host or network firewall rules and avoid mounting cifs/SMB shares from untrusted networks - note that this breaks any legitimate SMB workflow that depends on those destinations. Unloading the cifs module (rmmod cifs) on systems that do not require SMB client functionality fully removes the attack surface but will break any active SMB mounts.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy