Skip to main content

Linux Kernel ksmbd CVE-2026-53198

| EUVDEUVD-2026-39289 HIGH
Use After Free (CWE-416)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-62m5-m548-5v5f
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network SMB reachable but exploitation needs winning a double-cancel race (AC:H) and an authenticated session (PR:L); kernel slab UAF can corrupt memory and crash the host, so C/I/A:H.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:29 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL

A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on conn->async_requests via setup_async_work(), with cancel_fn = smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.

When the request is cancelled, the worker frees the file_lock with locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never reaches release_async_work() -- the only site that unlinks the work from conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays matchable on async_requests with a live cancel_fn pointing at the freed file_lock, until connection teardown finally runs release_async_work().

smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:

BUG: KASAN: slab-use-after-free in __locks_delete_block __locks_delete_block locks_delete_block ksmbd_vfs_posix_lock_unblock smb2_remove_blocked_lock smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn handle_ksmbd_work Allocated by ...: locks_alloc_lock <- smb2_lock Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) ... cache file_lock_cache of size 192

Reproduced on mainline with KASAN by an authenticated SMB client.

Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.

AnalysisAI

Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to ksmbd SMB share
Delivery
Send blocking SMB2_LOCK (deferred lock)
Exploit
Issue first SMB2_CANCEL freeing file_lock
Install
Race second SMB2_CANCEL on same AsyncId
C2
Fire stale cancel_fn on freed lock
Execute
Trigger kernel slab use-after-free
Impact
Crash or corrupt kernel memory

Vulnerability AssessmentAI

Exploitation Requires the target to be running the in-kernel ksmbd SMB server with at least one exported share, and the attacker must hold valid SMB credentials (authenticated session, PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid SMB credentials connects to a ksmbd-exported share, issues an SMB2_LOCK that blocks (deferred byte-range lock), then races two SMB2_CANCEL requests for the same AsyncId so the second fires the stale cancel callback against the already-freed file_lock. This triggers a kernel slab use-after-free that most likely panics the server (DoS) and could potentially be groomed toward kernel memory corruption. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later on each branch), which add the KSMBD_WORK_CANCELLED state guard so a cancel callback cannot fire twice; the upstream fix is commit f580d27e8928 and stable backports listed at git.kernel.org (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running ksmbd (Linux SMB file servers, NAS appliances) and assess external access points and user privilege levels. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy