Skip to main content

Linux Kernel ksmbd EUVDEUVD-2026-38914

| CVE-2026-53046 CRITICAL
2026-06-24 Linux GHSA-rchw-wq4w-xpmh
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Network-reachable via SMB but needs an authenticated encrypted session (PR:L) and a specific async hardware-crypto timing window (AC:H); impact is a kernel crash only, so C:N/I:N/A:H.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:57 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 cve.org
CRITICAL 9.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

ksmbd_crypt_message() sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns -EINPROGRESS, ksmbd treats it as an error and immediately frees the request while the hardware DMA operation is still in flight. The DMA completion callback then dereferences freed memory, causing a NULL pointer crash:

pc : qce_skcipher_done+0x24/0x174 lr : vchan_complete+0x230/0x27c ... el1h_64_irq+0x68/0x6c ksmbd_free_work_struct+0x20/0x118 [ksmbd] ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]

Use the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, matching the approach used by the SMB client in fs/smb/client/smb2ops.c. This properly handles both synchronous engines (immediate return) and async engines (-EINPROGRESS followed by callback notification).

AnalysisAI

Denial-of-service (NULL-pointer dereference / use-after-free) in the Linux kernel's in-kernel SMB3 server (ksmbd) affects systems that offload SMB3 message encryption to asynchronous hardware crypto engines such as the Qualcomm Crypto Engine (QCE). ksmbd_crypt_message() installs a NULL completion callback and misinterprets the -EINPROGRESS return from async AEAD requests as a fatal error, freeing the request while the hardware DMA is still running so the later qce_skcipher_done() callback dereferences freed memory and crashes the kernel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach ksmbd over TCP/445
Delivery
Establish authenticated SMB3 session
Exploit
Negotiate SMB3 encryption (QCE async path)
Install
Send encrypted SMB message triggering -EINPROGRESS
C2
Request freed while DMA in flight
Execute
Completion callback derefs freed memory
Impact
Kernel NULL-pointer crash (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires a very specific deployment: the target must run the in-kernel ksmbd SMB3 server with message encryption negotiated, AND that encryption must be serviced by an asynchronous hardware crypto engine that returns -EINPROGRESS - the Qualcomm Crypto Engine (QCE/qce_skcipher) is the named case, implying Qualcomm/ARM hardware. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict and should temper the headline severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Qualcomm-based appliance running ksmbd with SMB3 encryption and QCE offload, an attacker (or a buggy client) on the network establishes an authenticated SMB3 session and sends encrypted SMB traffic; the QCE returns -EINPROGRESS, ksmbd prematurely frees the request, and the later DMA completion dereferences freed memory, panicking the kernel and taking the file server offline. No public PoC exists, and reliable triggering depends on the async-engine timing window rather than a deterministic payload.
Remediation Vendor-released patch: upgrade to a fixed stable kernel for your series - 5.15.209, 6.1.175, 6.6.141, 6.12.91, 7.0.10, 6.18.33, or 7.1 (or later), per the kernel.org stable commits listed in the references. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify Linux systems running ksmbd with asynchronous hardware crypto acceleration engines. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-2597 HIGH
8.4 Aug 31

Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6

CVE-2014-10031 HIGH POC
7.5 Jan 13

Buffer overflow in the IMAPd service in Qualcomm Eudora WorldMail 9.0.333.0 allows remote attackers to execute arbitrary

CVE-2020-11117 CRITICAL POC
9.8 Sep 08

u'In the lbd service, an external user can issue a specially crafted debug command to overwrite arbitrary files with arb

CVE-2016-5348 MEDIUM POC
5.9 Oct 10

The GPS component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 be

CVE-2014-4322 HIGH POC
7.2 Dec 24

drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Andr

CVE-2015-0569 HIGH POC
7.8 May 09

Heap-based buffer overflow in the private wireless extensions IOCTL implementation in wlan_hdd_wext.c in the WLAN (aka W

CVE-2017-8260 HIGH POC
7.8 Aug 18

In all Qualcomm products with Android releases from CAF using the Linux kernel, due to a type downcast, a value may impr

CVE-2016-3934 HIGH POC
7.8 Oct 10

drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c in the Qualcomm camera driver in Android before 2016

CVE-2020-11207 HIGH POC
7.8 Nov 12

Buffer overflow in LibFastCV library due to improper size checks with respect to buffer length' in Snapdragon Auto, Snap

CVE-2020-11206 HIGH POC
7.8 Nov 12

Possible buffer overflow in Fastrpc while handling received parameters due to lack of validation on input parameters' in

CVE-2020-11202 HIGH POC
7.8 Nov 12

Buffer overflow/underflow occurs when typecasting the buffer passed by CPU internally in the library which is not aligne

CVE-2020-11201 HIGH POC
7.8 Nov 12

Arbitrary access to DSP memory due to improper check in loaded library for data received from CPU side' in Snapdragon Au

Share

EUVD-2026-38914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy