Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: ipc: fix use-after-free in ipc_msg_send_request

ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.

Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():

BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
Write of size 12 at addr ffff888198ee6e20 by task pool/109349
...
Freed by task:
kvfree
ipc_msg_send_request [ksmbd]
ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]

Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
entry->response, freeing it when invalid, and removing the entry from
ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
semantics.

This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.
Published: 2025-12-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free in ksmbd IPC leading to kernel memory corruption
Action: Immediate patch
AI Analysis

Impact

A race condition in the Linux kernel’s ksmbd IPC implementation allows an attacker to trigger a use‑after‑free during concurrent message processing. ipc_msg_send_request waits for a generic netlink reply using a stack‑allocated entry, while the handler handle_response fills entry->response without holding the same lock. Under high concurrency the handler may copy data into entry->response while ipc_msg_send_request has freed it, causing a slab‑use‑after‑free reported by KASAN. This leads to kernel memory corruption. Based on the use‑after‑free, it is inferred that an attacker could potentially execute arbitrary code in kernel context, although the CVE description does not explicitly state such exploitation.

Affected Systems

All Linux kernel releases that contain the ksmbd user‑space facility. The CVE applies to any system running the Linux kernel with ksmbd enabled; no specific version range is listed, so any kernel before the patch that reverts this race is vulnerable. All vendors shipping the stock kernel should be considered impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. EPSS is below 1 %, suggesting a low probability of real‑world exploitation at present. The vulnerability is not listed in CISA KEV, implying no publicly known exploits yet. The likely attack vector is inferred to be network‑based via SMB traffic to a host with ksmbd enabled. Exploiting the race condition may require a sustained or coordinated burst of messages; the specific prerequisites are not detailed in the description and are inferred.

Generated by OpenCVE AI on April 28, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the ksmbd IPC use‑after‑free fix (CVE‑2025‑68263).
  • If an immediate kernel upgrade is not feasible, stop or disable the ksmbd service to remove the attack surface.
  • As an additional precaution, restrict network access to the host’s SMB ports to trusted networks only.

Generated by OpenCVE AI on April 28, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8094-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8094-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8094-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8094-4 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8094-5 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8152-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8184-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8185-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8179-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8203-1 Linux kernel (Oracle) vulnerabilities
Ubuntu USN Ubuntu USN USN-8204-1 Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8185-2 Linux kernel (Low Latency NVIDIA) vulnerabilities
History

Tue, 28 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sun, 11 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 16 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is copying data into entry->response while ipc_msg_send_request() has just freed it, leading to a slab-use-after-free reported by KASAN in handle_generic_event(): BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] Write of size 12 at addr ffff888198ee6e20 by task pool/109349 ... Freed by task: kvfree ipc_msg_send_request [ksmbd] ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd] Fix by: - Taking ipc_msg_table_lock in ipc_msg_send_request() while validating entry->response, freeing it when invalid, and removing the entry from ipc_msg_table. - Returning the final entry->response pointer to the caller only after the hash entry is removed under the lock. - Returning NULL in the error path, preserving the original API semantics. This makes all accesses to entry->response consistent with handle_response(), which already updates and fills the response buffer under ipc_msg_table_lock, and closes the race that allowed the UAF.
Title ksmbd: ipc: fix use-after-free in ipc_msg_send_request
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T08:39:36.027Z

Reserved: 2025-12-16T13:41:40.267Z

Link: CVE-2025-68263

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-12-16T15:15:55.813

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68263

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-16T00:00:00Z

Links: CVE-2025-68263 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:45:15Z

Weaknesses