Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths

The problem occurs when a signed request fails smb2 signature verification
check. In __process_request(), if check_sign_req() returns an error,
set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.
set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting
next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain
is lost. Consequently, is_chained_smb2_message() continues to point to
the same request header instead of advancing. If the header's NextCommand
field is non-zero, the function returns true, causing __handle_ksmbd_work()
to repeatedly process the same failed request in an infinite loop.
This results in the kernel log being flooded with "bad smb2 signature"
messages and high CPU usage.

This patch fixes the issue by changing the return value from
SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that
the processing loop terminates immediately rather than attempting to
continue from an invalidated offset.
Published: 2026-02-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via kernel CPU exhaustion and log flooding
Action: Apply Patch
AI Analysis

Impact

The Linux kernel’s ksmbd component can enter an infinite loop when a signed SMB2 request fails signature verification. The bug resets the next request offset to zero while still marking the message as chained, causing the same failed request to be processed repeatedly. This results in kernel log flooding with “bad smb2 signature” entries and a spike in CPU usage, effectively a denial‑of‑service condition. The patch changes the return value to abort, terminating the processing loop immediately.

Affected Systems

The issue exists in Linux kernel builds starting with version 6.6, including release candidates 6.6‑rc6 and 6.6‑rc7, and any system that ships with the ksmbd module and runs a kernel derived from 6.6 or earlier until the patch is applied. All Linux installations that enable the ksmbd server are potentially affected.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability requires an attacker to interact with the SMB2 service and to send signed requests that fail verification, so the attack vector is network‑based. Because the flaw consumes CPU rather than compromising confidentiality or integrity, its impact is limited to denial of service. The vulnerability is not listed in CISA’s KEV catalog, reflecting the current low exploitation risk.

Generated by OpenCVE AI on April 15, 2026 at 15:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a patch‑included version such as any release succeeding the fix in the 6.6 series or later stable releases.
  • If an immediate kernel update is not possible, disable SMB2 signing on the ksmbd server or, if appropriate, disable the ksmbd module entirely to prevent the erroneous loop.
  • Configure syslog or the kernel log level to reduce or rate‑limit “bad smb2 signature” messages, mitigating log‑flooding effects while a long‑term fix is applied.

Generated by OpenCVE AI on April 15, 2026 at 15:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
CPEs cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.6:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.6:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 23 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
References

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status() set work->next_smb2_rcv_hdr_off as zero. By resetting next_smb2_rcv_hdr_off to zero, the pointer to the next command in the chain is lost. Consequently, is_chained_smb2_message() continues to point to the same request header instead of advancing. If the header's NextCommand field is non-zero, the function returns true, causing __handle_ksmbd_work() to repeatedly process the same failed request in an infinite loop. This results in the kernel log being flooded with "bad smb2 signature" messages and high CPU usage. This patch fixes the issue by changing the return value from SERVER_HANDLER_CONTINUE to SERVER_HANDLER_ABORT. This ensures that the processing loop terminates immediately rather than attempting to continue from an invalidated offset.
Title ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:22.654Z

Reserved: 2026-01-13T15:37:45.987Z

Link: CVE-2026-23220

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-18T16:22:31.700

Modified: 2026-04-18T09:16:14.463

Link: CVE-2026-23220

cve-icon Redhat

Severity :

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2026-23220 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses