Skip to main content

Linux Kernel CVE-2026-53271

| EUVDEUVD-2026-39222 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-hxmm-jmj9-253j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.3 MEDIUM

ksmbd is network-bound and the oops is explicitly 'remotely triggerable,' warranting AV:N; AC:H reflects race-condition timing dependency; PR:L for required authenticated SMB session.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 04:15 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers

smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn into a local with neither READ_ONCE() nor a NULL check. Both run from oplock_break() after opinfo_get_list() has dropped ci->m_lock, so a concurrent SMB2 LOGOFF (session_fd_check()) can set op->conn = NULL under ci->m_lock within that window. ksmbd_conn_r_count_inc(conn) then writes through NULL at offset 0xc4 -- a remotely triggerable oops.

Guard both reads the way compare_guid_key() already does: read opinfo->conn with READ_ONCE() and return early if it is NULL, before allocating the work struct so nothing leaks. A NULL conn means the client is gone and the break is moot, so return 0; oplock_break() treats that as success and runs the normal teardown.

AnalysisAI

NULL pointer dereference in the ksmbd (in-kernel SMB server) subsystem of the Linux kernel causes a remotely triggerable kernel oops, resulting in denial of service. The race condition in smb2_oplock_break_noti() and smb2_lease_break_noti() allows an authenticated SMB client to crash the kernel by racing an SMB2 LOGOFF against an oplock/lease break notification - setting opinfo->conn to NULL in the window after ci->m_lock is dropped, then dereferencing it in ksmbd_conn_r_count_inc(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to ksmbd SMB server
Delivery
Open file to acquire oplock or lease
Exploit
Trigger oplock break condition on server
Execution
Race SMB2 LOGOFF to NULL opinfo->conn
Persist
Notifier dereferences NULL pointer at offset 0xc4
Impact
Kernel oops crashes system

Vulnerability AssessmentAI

Exploitation ksmbd must be running as the active SMB server (kernel module loaded, service configured and listening - this is a non-default state on all major Linux distributions and requires explicit administrator configuration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 5.5 (Medium, AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) likely understates the attack vector: the description explicitly calls this 'a remotely triggerable oops,' and ksmbd is a network-bound SMB server - AV:N with AC:H (race condition) and PR:L (authenticated SMB session) is arguably more representative. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid SMB account on a ksmbd-serving Linux host opens a file to acquire an oplock, then races an SMB2 LOGOFF request against the server's oplock break notification for that file. In the window after oplock_break() drops ci->m_lock but before the notifier checks opinfo->conn, the LOGOFF handler zeros conn, causing the notifier to call ksmbd_conn_r_count_inc(NULL) and write through a NULL pointer at kernel offset 0xc4, producing a kernel oops and system crash. …
Remediation Patch to Linux kernel 6.6.143, 6.12.94, 7.0.13, or 7.1 stable release - whichever corresponds to the deployed stable branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy