CVE-2026-23226 - Vulnerability Details

- ksmbd: add chann_lock to protect ksmbd_chann_list xarray

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: add chann_lock to protect ksmbd_chann_list xarray

ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in
multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del).

Adds rw_semaphore chann_lock to struct ksmbd_session and protects
all xa_load/xa_store/xa_erase accesses.

Published: 2026-02-18

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s SMB daemon, ksmbd, contains an unsynchronized access to the ksmbd_chann_list xarray. When a channel is looked up with lookup_chann_list() and then deleted with ksmbd_chann_del(), the xarray may be freed while the lookup still holds a reference, causing a use‑after‑free. This memory corruption can allow an attacker who can influence SMB channel creation to execute arbitrary code in kernel space, potentially escalating privileges or causing a kernel panic. The fix introduces a read‑write semaphore, chann_lock, to serialize all xa_load/xa_store/xa_erase operations and eliminate the race.

Affected Systems

The vulnerability affects the Linux kernel, specifically the ksmbd SMB daemon present in all distributions that ship a kernel containing this module. No specific version range is provided, but the issue was resolved in recent kernel commits, so any kernel built from those commits onward is protected.

Risk and Exploitability

The flaw carries a high CVSS score of 8.8 yet has an EPSS score below 1%, indicating a low current exploitation probability. It is not listed in the CISA KEV catalog. Inferred from the affected component, the attack vector is likely remote via SMB or local through privileged processes that can create SMB channels. Because there is no official workaround, the only viable mitigation is to apply the kernel update or disable the affected service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1d9c4172110e645b383ff13eee759728d74f1a5d`	affected	< 4c2ca31608521895dd742a43beca4b4d29762345
`1d9c4172110e645b383ff13eee759728d74f1a5d`	affected	< e4a8a96a93d08570e0405cfd989a8a07e5b6ff33
`1d9c4172110e645b383ff13eee759728d74f1a5d`	affected	< 36ef605c0395b94b826a8c8d6f2697071173de6e
`1d9c4172110e645b383ff13eee759728d74f1a5d`	affected	< 4f3a06cc57976cafa8c6f716646be6c79a99e485
`b1caecbf34b8c8260d851ec4efde71f3694460b7`	affected	—
`91bbf9cb2387a0d76322e9a343bc6bc160f66b3f`	affected	—
`853c416710b075153c1e1421e099ffbe5dac68ce`	affected	—

Linux

affected

Version	Status	Constraints
`6.3`	affected	—
`0`	unaffected	< 6.3
`6.12.77`	unaffected	≤ 6.12.*
`6.18.11`	unaffected	≤ 6.18.*
`6.19.1`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e4a8a96a93d08570e0405cfd989a8a07e5b6ff33)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,36ef605c0395b94b826a8c8d6f2697071173de6e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.11,6.19.0)`	unaffected	semver	—
`[6.19.1,6.20.0)`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the system kernel to a version that includes the ksmbd chann_lock fix (e.g., the kernel commits referenced in the advisory); reboot after the update.
If an immediate kernel upgrade is not possible, disable the ksmbd SMB service or restrict it to trusted users so that no SMB channels can be created.
Monitor system logs for kernel panic or abnormal ksmbd activity and configure alerts for memory‑corruption or use‑after‑free indicators.

Generated by OpenCVE AI on April 15, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/36ef605c0395b94b826a8c8d6f2697071173de6e
https://git.kernel.org/stable/c/4c2ca31608521895dd742a43beca4b4d29762345
https://git.kernel.org/stable/c/4f3a06cc57976cafa8c6f716646be6c79a99e485
https://git.kernel.org/stable/c/e4a8a96a93d08570e0405cfd989a8a07e5b6ff33
https://lore.kernel.org/linux-cve-announce/2026021807-CVE-2026-23226-438c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23226
https://www.cve.org/CVERecord?id=CVE-2026-23226

History

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 13 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/4c2ca31608521895dd742a43beca4b4d29762345

Mon, 02 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 23 Feb 2026 03:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/4f3a06cc57976cafa8c6f716646be6c79a99e485

Thu, 19 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026021807-CVE-2026-23226-438c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23226 https://www.cve.org/CVERecord?id=CVE-2026-23226

Wed, 18 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses.
Title		ksmbd: add chann_lock to protect ksmbd_chann_list xarray
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/36ef605c0395b94b826a8c8d6f2697071173de6e https://git.kernel.org/stable/c/e4a8a96a93d08570e0405cfd989a8a07e5b6ff33

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-18T14:53:29.562Z

Updated: 2026-04-13T06:02:42.071Z

Reserved: 2026-01-13T15:37:45.987Z

Link: CVE-2026-23226

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-02-18T16:22:32.363

Modified: 2026-04-02T15:16:23.970

Link: CVE-2026-23226

Redhat

Severity :

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2026-23226 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object