Skip to main content

Linux kernel ksmbd CVE-2026-52911

| EUVDEUVD-2026-38148 HIGH
2026-06-21 Linux GHSA-593m-gq54-r4vq
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.9 MEDIUM

Authenticated SMB session needed (PR:L) and exploitation depends on the multichannel binding slowpath plus a concurrent victim session (AC:H); impact is primarily unauthorized session read (C:H), limited integrity, no availability.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 10:32 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 21, 2026 - 09:16 EUVD
CVE Published
Jun 21, 2026 - 06:18 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 21, 2026 - 06:18 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: scope conn->binding slowpath to bound sessions only

When the binding SESSION_SETUP sets conn->binding = true, the flag stays set after the call so that the global session lookup in ksmbd_session_lookup_all() can find the session, which was not added to conn->sessions. Because the flag is connection-wide, the global lookup path will also resolve any other session by id if asked.

Tighten the global lookup so that the returned session must have this connection registered in its channel xarray (sess->ksmbd_chann_list). The channel entry is installed by the existing binding_session path in ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes successfully, so this condition is a strict equivalent of "this connection has been accepted as a channel of this session". Connections that have not bound to a given session cannot reach it via the global table.

The existing conn->binding gate for entering the slowpath is preserved so that non-binding connections keep the fast-path-only behavior, and the session->state check is unchanged.

AnalysisAI

Improper session authorization in the Linux kernel's in-kernel SMB3 server (ksmbd) lets an authenticated SMB client reach sessions it never bound to. Because the connection-wide conn->binding flag stays set after a binding SESSION_SETUP, the global lookup in ksmbd_session_lookup_all() would resolve any session by ID, allowing a low-privileged remote user to access another user's session (Information Disclosure tagged). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to ksmbd SMB share
Delivery
Open binding SESSION_SETUP connection
Exploit
Set conn->binding flag
Execution
Resolve victim session by ID via global lookup
Impact
Access unauthorized session data

Vulnerability AssessmentAI

Exploitation Requires that the target host runs ksmbd as an active SMB server exporting shares (not the default on most Linux systems, which use Samba), and that the attacker holds valid credentials to establish an authenticated SMB session (consistent with PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) rates this high, but several signals temper real-world urgency: EPSS is only 0.18% (7th percentile), there is no CISA KEV listing and no public PoC, and the 'Information Disclosure' tag suggests confidentiality is the dominant impact rather than the full C:H/I:H/A:H triad the vector claims. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid credentials to a ksmbd share opens an SMB3 connection and issues a binding SESSION_SETUP, setting the connection-wide binding flag; they then request another session by ID through the global lookup and, because the connection was never validated as a channel of that session, gain access to a different user's authenticated session and its data. No public proof-of-concept is currently identified, and the requirement for the multichannel binding path plus a concurrent victim session means low-but-non-trivial complexity.
Remediation Vendor-released patch: upgrade to a fixed kernel - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 7.0.10, 6.18.33, or mainline 7.1 (or later in each series); Debian users should apply DSA-6355-1 (https://security-tracker.debian.org/tracker/dsa-6355-1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit inventory of Linux servers running ksmbd-enabled kernels and prioritize production SMB servers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.257-1 -
bookworm vulnerable 6.1.170-3 -
bookworm (security) vulnerable 6.1.174-1 -
trixie fixed 6.12.94-1 -
trixie (security) vulnerable 6.12.90-2 -
forky fixed 7.0.12-2 -
sid fixed 7.0.13-1 -
(unstable) fixed 7.0.10-1 -

Share

CVE-2026-52911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy