Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network SMB reachable but exploitation needs winning a double-cancel race (AC:H) and an authenticated session (PR:L); kernel slab UAF can corrupt memory and crash the host, so C/I/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on conn->async_requests via setup_async_work(), with cancel_fn = smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.
When the request is cancelled, the worker frees the file_lock with locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never reaches release_async_work() -- the only site that unlinks the work from conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays matchable on async_requests with a live cancel_fn pointing at the freed file_lock, until connection teardown finally runs release_async_work().
smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:
BUG: KASAN: slab-use-after-free in __locks_delete_block __locks_delete_block locks_delete_block ksmbd_vfs_posix_lock_unblock smb2_remove_blocked_lock smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn handle_ksmbd_work Allocated by ...: locks_alloc_lock <- smb2_lock Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) ... cache file_lock_cache of size 192
Reproduced on mainline with KASAN by an authenticated SMB client.
Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.
AnalysisAI
Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target to be running the in-kernel ksmbd SMB server with at least one exported share, and the attacker must hold valid SMB credentials (authenticated session, PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with valid SMB credentials connects to a ksmbd-exported share, issues an SMB2_LOCK that blocks (deferred byte-range lock), then races two SMB2_CANCEL requests for the same AsyncId so the second fires the stale cancel callback against the already-freed file_lock. This triggers a kernel slab use-after-free that most likely panics the server (DoS) and could potentially be groomed toward kernel memory corruption. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later on each branch), which add the KSMBD_WORK_CANCELLED state guard so a cancel callback cannot fire twice; the upstream fix is commit f580d27e8928 and stable backports listed at git.kernel.org (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running ksmbd (Linux SMB file servers, NAS appliances) and assess external access points and user privilege levels. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39289
GHSA-62m5-m548-5v5f