Skip to main content

Linux Kernel EUVDEUVD-2026-38878

| CVE-2026-53010 CRITICAL
Use After Free (CWE-416)
2026-06-24 Linux GHSA-xvgg-vwv8-fvr6
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Reaching the durable-reconnect path needs an authenticated SMB session (PR:L) and a timing/error race (AC:H); kernel UAF yields memory disclosure (C:H) and crash potential (A:H), with limited integrity impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:49 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
CRITICAL 9.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in smb2_open during durable reconnect

In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails) or a scavenger accesses the file, it leads to a use-after-free when accessing fp properties (eg fp->create_time).

Move the single put to the end of the function below err_out2 so fp stays valid until smb2_open returns.

AnalysisAI

Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach ksmbd SMB service on TCP/445
Delivery
Establish SMB session and open durable handle
Exploit
Force durable reconnect via smb2_open
Execution
Trigger error path or scavenger free
Persist
Access freed file object (use-after-free)
Impact
Corrupt kernel memory, leak data or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires the target kernel to have ksmbd enabled and actively serving SMB shares, and the attacker must drive the SMB2 durable-handle reconnect code path in smb2_open - meaning an established SMB session that opens a file with a durable handle and then reconnects. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals here conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a ksmbd-served SMB share authenticates, opens a file requesting a durable handle, then forces a reconnect while inducing an error in the response path (or races the scavenger reaping the handle), causing smb2_open to access the already-freed file object and corrupt kernel memory. The result could crash the server (denial of service) or leak adjacent kernel data, with potential for further escalation; no public exploit code is identified at time of analysis.
Remediation Vendor-released patch: update to a fixed Linux kernel release for your branch - the patched versions noted include 6.6.32, 6.18.33, 7.0.10, and 7.1; apply the corresponding stable update shipped by your distribution that incorporates upstream commits ce2e164c, 97a0cd55, and 1baff47b (https://git.kernel.org/stable/c/ce2e164c1c51c3f7813b80f8c926836e896bcbb3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

**Within 24 hours:** Inventory all Linux systems running ksmbd (check with grep CONFIG_SMB_SERVER /boot/config-$(uname -r) or similar) and identify vulnerable kernel versions using uname -r. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy