Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reaching the durable-reconnect path needs an authenticated SMB session (PR:L) and a timing/error race (AC:H); kernel UAF yields memory disclosure (C:H) and crash potential (A:H), with limited integrity impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in smb2_open during durable reconnect
In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails) or a scavenger accesses the file, it leads to a use-after-free when accessing fp properties (eg fp->create_time).
Move the single put to the end of the function below err_out2 so fp stays valid until smb2_open returns.
AnalysisAI
Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target kernel to have ksmbd enabled and actively serving SMB shares, and the attacker must drive the SMB2 durable-handle reconnect code path in smb2_open - meaning an established SMB session that opens a file with a durable handle and then reconnects. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals here conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a ksmbd-served SMB share authenticates, opens a file requesting a durable handle, then forces a reconnect while inducing an error in the response path (or races the scavenger reaping the handle), causing smb2_open to access the already-freed file object and corrupt kernel memory. The result could crash the server (denial of service) or leak adjacent kernel data, with potential for further escalation; no public exploit code is identified at time of analysis. |
| Remediation | Vendor-released patch: update to a fixed Linux kernel release for your branch - the patched versions noted include 6.6.32, 6.18.33, 7.0.10, and 7.1; apply the corresponding stable update shipped by your distribution that incorporates upstream commits ce2e164c, 97a0cd55, and 1baff47b (https://git.kernel.org/stable/c/ce2e164c1c51c3f7813b80f8c926836e896bcbb3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
**Within 24 hours:** Inventory all Linux systems running ksmbd (check with grep CONFIG_SMB_SERVER /boot/config-$(uname -r) or similar) and identify vulnerable kernel versions using uname -r. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38878
GHSA-xvgg-vwv8-fvr6