Skip to main content

Linux Kernel EUVDEUVD-2026-28684

| CVE-2026-43378 CRITICAL
Use After Free (CWE-416)
2026-05-08 Linux GHSA-8cfc-95hv-9rqj
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
May 20, 2026 - 17:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 20, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
May 20, 2026 - 17:22 NVD
HIGH CRITICAL
CVSS changed
May 20, 2026 - 17:22 NVD
7.8 (HIGH) 9.8 (CRITICAL)
Analysis Generated
May 19, 2026 - 22:30 vuln.today
CVSS changed
May 19, 2026 - 20:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

smb: server: fix use-after-free in smb2_open()

The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window.

AnalysisAI

Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Technical ContextAI

The bug lives in fs/smb/server/smb2pdu.c within ksmbd, the in-kernel SMB3 server introduced in Linux 5.15. The code obtains a pointer to an oplock-info structure via rcu_dereference(fp->f_opinfo) inside an RCU read-side critical section, but then continues to use that pointer after calling rcu_read_unlock(). Because RCU only guarantees the object remains valid while the read-side lock is held, a concurrent writer can free the opinfo between the unlock and the subsequent dereference, producing the classic CWE-416 use-after-free pattern. Exploiting such a race in kernel memory can lead to information disclosure, denial of service, or - depending on slab reuse - arbitrary kernel memory corruption.

RemediationAI

Vendor-released patch: upgrade to Linux 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0 (or later) on the corresponding stable branch; the relevant stable commits are published at https://git.kernel.org/stable/c/54b48ae83de8bb06e65079d96368efe359d4909c, https://git.kernel.org/stable/c/190e5f808e8058640b408ccfed25440b441a718a, https://git.kernel.org/stable/c/e1b21e6066615e7d3d3a7aa2677e415e563fd7cc, https://git.kernel.org/stable/c/8f5b1a7cb009a93c48e9e334a2f59a660f9afc07, https://git.kernel.org/stable/c/1e689a56173827669a35da7cb2a3c78ed5c53680, and https://git.kernel.org/stable/c/b720c84087cb547f23ce03eab93568c1769e4556, with the corresponding distro security tracker (RHSA, USN, DSA, SUSE-SU) as the practical source for backported binaries. Until kernels are upgraded, the most effective compensating control is to stop and blacklist the ksmbd module (modprobe -r ksmbd and an entry in /etc/modprobe.d/) on hosts that do not need an in-kernel SMB server - the side effect is loss of ksmbd-based file sharing, but Samba (userspace smbd) is unaffected. Where ksmbd must run, restrict TCP/445 (and 139) at host or perimeter firewalls to a trusted management VLAN and require authenticated SMB sessions, accepting that this does not eliminate the race but dramatically shrinks the attacker population.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy