Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable via SMB but needs an authenticated encrypted session (PR:L) and a specific async hardware-crypto timing window (AC:H); impact is a kernel crash only, so C:N/I:N/A:H.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
ksmbd_crypt_message() sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns -EINPROGRESS, ksmbd treats it as an error and immediately frees the request while the hardware DMA operation is still in flight. The DMA completion callback then dereferences freed memory, causing a NULL pointer crash:
pc : qce_skcipher_done+0x24/0x174 lr : vchan_complete+0x230/0x27c ... el1h_64_irq+0x68/0x6c ksmbd_free_work_struct+0x20/0x118 [ksmbd] ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]
Use the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, matching the approach used by the SMB client in fs/smb/client/smb2ops.c. This properly handles both synchronous engines (immediate return) and async engines (-EINPROGRESS followed by callback notification).
AnalysisAI
Denial-of-service (NULL-pointer dereference / use-after-free) in the Linux kernel's in-kernel SMB3 server (ksmbd) affects systems that offload SMB3 message encryption to asynchronous hardware crypto engines such as the Qualcomm Crypto Engine (QCE). ksmbd_crypt_message() installs a NULL completion callback and misinterprets the -EINPROGRESS return from async AEAD requests as a fatal error, freeing the request while the hardware DMA is still running so the later qce_skcipher_done() callback dereferences freed memory and crashes the kernel. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a very specific deployment: the target must run the in-kernel ksmbd SMB3 server with message encryption negotiated, AND that encryption must be serviced by an asynchronous hardware crypto engine that returns -EINPROGRESS - the Qualcomm Crypto Engine (QCE/qce_skcipher) is the named case, implying Qualcomm/ARM hardware. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict and should temper the headline severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Qualcomm-based appliance running ksmbd with SMB3 encryption and QCE offload, an attacker (or a buggy client) on the network establishes an authenticated SMB3 session and sends encrypted SMB traffic; the QCE returns -EINPROGRESS, ksmbd prematurely frees the request, and the later DMA completion dereferences freed memory, panicking the kernel and taking the file server offline. No public PoC exists, and reliable triggering depends on the async-engine timing window rather than a deterministic payload. |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel for your series - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 7.0.10, 6.18.33, or 7.1 (or later), per the kernel.org stable commits listed in the references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify Linux systems running ksmbd with asynchronous hardware crypto acceleration engines. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6
Buffer overflow in the IMAPd service in Qualcomm Eudora WorldMail 9.0.333.0 allows remote attackers to execute arbitrary
u'In the lbd service, an external user can issue a specially crafted debug command to overwrite arbitrary files with arb
The GPS component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 be
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Andr
Heap-based buffer overflow in the private wireless extensions IOCTL implementation in wlan_hdd_wext.c in the WLAN (aka W
In all Qualcomm products with Android releases from CAF using the Linux kernel, due to a type downcast, a value may impr
drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c in the Qualcomm camera driver in Android before 2016
Buffer overflow in LibFastCV library due to improper size checks with respect to buffer length' in Snapdragon Auto, Snap
Possible buffer overflow in Fastrpc while handling received parameters due to lack of validation on input parameters' in
Buffer overflow/underflow occurs when typecasting the buffer passed by CPU internally in the library which is not aligne
Arbitrary access to DSP memory due to improper check in loaded library for data received from CPU side' in Snapdragon Au
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38914
GHSA-rchw-wq4w-xpmh