Skip to main content

Linux Kernel ksmbd EUVDEUVD-2026-28685

| CVE-2026-43379 CRITICAL
Use After Free (CWE-416)
2026-05-08 Linux GHSA-wvq8-6v44-2qvw
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:31 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
CRITICAL 9.8
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()

opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being accessed after rcu_read_unlock() has been called. This creates a race condition where the memory could be freed by a concurrent writer between the unlock and the subsequent pointer dereferences (opinfo->is_lease, etc.), leading to a use-after-free.

AnalysisAI

Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to potentially execute arbitrary code, disclose sensitive information, or cause denial of service. The vulnerability stems from improper RCU lock handling in smb_lazy_parent_lease_break_close() where opinfo pointer is dereferenced after RCU read unlock, creating a race condition. Patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). Despite critical CVSS 9.8 score, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects ksmbd, the in-kernel SMB3 server implementation introduced in Linux 5.15. The flaw is a use-after-free condition caused by violating Read-Copy-Update (RCU) synchronization rules. In smb_lazy_parent_lease_break_close(), the code obtains an opinfo pointer via rcu_dereference(fp->f_opinfo) within an RCU read-side critical section, then calls rcu_read_unlock() before accessing opinfo fields (is_lease, etc.). This creates a time window where concurrent code could free the opinfo structure between unlock and access, resulting in dereferencing freed memory. Use-after-free vulnerabilities are particularly dangerous in kernel code as they can lead to arbitrary code execution when attackers control the freed memory contents through heap manipulation techniques. The affected component handles SMB lease break operations, part of the opportunistic lock (oplock) mechanism used for client-side caching in SMB protocol.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.130+ for 6.6.x series, 6.12.78+ for 6.12.x, 6.18.19+ for 6.18.x, 6.19.9+ for 6.19.x, or 7.0+ for latest mainline. Patches available via standard kernel update mechanisms for major distributions (apt, yum, dnf). Verify fix application by checking kernel version with 'uname -r' and confirming commit presence with 'git log' if building from source. For systems that cannot immediately patch: disable ksmbd module if not required ('rmmod ksmbd' and blacklist in /etc/modprobe.d/); if SMB server functionality is required, migrate to userspace Samba server which is unaffected by this kernel vulnerability; restrict network access to ksmbd service (TCP ports 445, 139) to trusted networks only via firewall rules as compensating control, though this does not eliminate risk from internal threats or compromised trusted systems. Note that disabling ksmbd will interrupt SMB file sharing services; plan maintenance window accordingly. Workaround trade-off: userspace Samba has slightly higher CPU overhead but eliminates kernel-level attack surface for this vulnerability class.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy