Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Authenticated SMB session needed (PR:L) and exploitation depends on the multichannel binding slowpath plus a concurrent victim session (AC:H); impact is primarily unauthorized session read (C:H), limited integrity, no availability.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: scope conn->binding slowpath to bound sessions only
When the binding SESSION_SETUP sets conn->binding = true, the flag stays set after the call so that the global session lookup in ksmbd_session_lookup_all() can find the session, which was not added to conn->sessions. Because the flag is connection-wide, the global lookup path will also resolve any other session by id if asked.
Tighten the global lookup so that the returned session must have this connection registered in its channel xarray (sess->ksmbd_chann_list). The channel entry is installed by the existing binding_session path in ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes successfully, so this condition is a strict equivalent of "this connection has been accepted as a channel of this session". Connections that have not bound to a given session cannot reach it via the global table.
The existing conn->binding gate for entering the slowpath is preserved so that non-binding connections keep the fast-path-only behavior, and the session->state check is unchanged.
AnalysisAI
Improper session authorization in the Linux kernel's in-kernel SMB3 server (ksmbd) lets an authenticated SMB client reach sessions it never bound to. Because the connection-wide conn->binding flag stays set after a binding SESSION_SETUP, the global lookup in ksmbd_session_lookup_all() would resolve any session by ID, allowing a low-privileged remote user to access another user's session (Information Disclosure tagged). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the target host runs ksmbd as an active SMB server exporting shares (not the default on most Linux systems, which use Samba), and that the attacker holds valid credentials to establish an authenticated SMB session (consistent with PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) rates this high, but several signals temper real-world urgency: EPSS is only 0.18% (7th percentile), there is no CISA KEV listing and no public PoC, and the 'Information Disclosure' tag suggests confidentiality is the dominant impact rather than the full C:H/I:H/A:H triad the vector claims. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with valid credentials to a ksmbd share opens an SMB3 connection and issues a binding SESSION_SETUP, setting the connection-wide binding flag; they then request another session by ID through the global lookup and, because the connection was never validated as a channel of that session, gain access to a different user's authenticated session and its data. No public proof-of-concept is currently identified, and the requirement for the multichannel binding path plus a concurrent victim session means low-but-non-trivial complexity. |
| Remediation | Vendor-released patch: upgrade to a fixed kernel - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 7.0.10, 6.18.33, or mainline 7.1 (or later in each series); Debian users should apply DSA-6355-1 (https://security-tracker.debian.org/tracker/dsa-6355-1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit inventory of Linux servers running ksmbd-enabled kernels and prioritize production SMB servers. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bullseye (security) | fixed | 5.10.257-1 | - |
| bookworm | vulnerable | 6.1.170-3 | - |
| bookworm (security) | vulnerable | 6.1.174-1 | - |
| trixie | fixed | 6.12.94-1 | - |
| trixie (security) | vulnerable | 6.12.90-2 | - |
| forky | fixed | 7.0.12-2 | - |
| sid | fixed | 7.0.13-1 | - |
| (unstable) | fixed | 7.0.10-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38148
GHSA-593m-gq54-r4vq