CVE-2026-23282 - Vulnerability Details

- smb: client: fix oops due to uninitialised var in smb2_unlink()

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix oops due to uninitialised var in smb2_unlink()

If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the
iovs set @rqst will be left uninitialised, hence calling
SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will
oops.

Fix this by initialising @close_iov and @open_iov before setting them
in @rqst.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An uninitialized variable in the SMB2 client’s unlink operation can trigger a kernel Oops, resulting in a system crash. The flaw arises because iovs set by SMB2_open_init or SMB2_close_init may be left uninitialized when those calls fail, such as during a reconnect. When smb2_unlink() then attempts to free or modify these uninitialized I/O vectors, the kernel panics. This weakness combines use‑of‑uninitialized data (CWE‑824) with improper resource cleanup (CWE‑908), causing a denial of service in the form of a kernel crash.

Affected Systems

The vulnerability exists in the Linux kernel SMB client code before the inclusion of commit 048efe12. Kernels released prior to 6.17 and early 7.0 RC releases (rc1 and rc2) contain the uncorrected logic. Any Linux distribution running an unpatched kernel with SMB client capability enabled is affected, regardless of the distribution vendor.

Risk and Exploitability

The CVSS score of 5.5 denotes a medium severity, while the EPSS score below 1 % indicates a very low likelihood of real‑world exploitation at present. The vulnerability is not listed in the CISA KEV catalog, further reducing the observed threat level. The likely attack vector is remote, via malicious or misconfigured SMB traffic that forces the SMB client to experience a reconnection failure, but it could also be triggered locally by simulating such failures. Based on the description, the exact exploitation method is not detailed and is inferred from the kernel behavior.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1cf9f2a6a544288516a7b9e883a48eba6246bcf2`	affected	< 86163b98891aa9800f6103252e5acc7bb98afb91
`1cf9f2a6a544288516a7b9e883a48eba6246bcf2`	affected	< dc710c87af3341554d02d634ada1d2036c49a94a
`1cf9f2a6a544288516a7b9e883a48eba6246bcf2`	affected	< 048efe129a297256d3c2088cf8d79515ff5ec864

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.17:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1cf9f2a6a544288516a7b9e883a48eba6246bcf2,86163b98891aa9800f6103252e5acc7bb98afb91)`	affected	code_commit	—
`[1cf9f2a6a544288516a7b9e883a48eba6246bcf2,dc710c87af3341554d02d634ada1d2036c49a94a)`	affected	code_commit	—
`[1cf9f2a6a544288516a7b9e883a48eba6246bcf2,048efe129a297256d3c2088cf8d79515ff5ec864)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	generic	—
`[0,6.17)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes commit 048efe12 or newer, such as kernel 6.17 and later releases.
If a kernel upgrade cannot be performed immediately, restrict or disable SMBv2/Samba client operations on the affected hosts to reduce exposure to the vulnerable code path.
Regularly inspect system logs for "Oops" messages or kernel panic entries related to smb2_unlink to detect any exploitation attempts promptly.

Generated by OpenCVE AI on May 22, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/048efe129a297256d3c2088cf8d79515ff5ec864
https://git.kernel.org/stable/c/86163b98891aa9800f6103252e5acc7bb98afb91
https://git.kernel.org/stable/c/dc710c87af3341554d02d634ada1d2036c49a94a
https://lore.kernel.org/linux-cve-announce/2026032523-CVE-2026-23282-bad0@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23282
https://www.cve.org/CVERecord?id=CVE-2026-23282

History

Fri, 22 May 2026 00:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-908
CPEs		cpe:2.3:o:linux:linux_kernel:6.17:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-457

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://lore.kernel.org/linux-cve-announce/2026032523-CVE-2026-23282-bad0@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23282 https://www.cve.org/CVERecord?id=CVE-2026-23282
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-457

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to uninitialised var in smb2_unlink() If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the iovs set @rqst will be left uninitialised, hence calling SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will oops. Fix this by initialising @close_iov and @open_iov before setting them in @rqst.
Title		smb: client: fix oops due to uninitialised var in smb2_unlink()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/048efe129a297256d3c2088cf8d79515ff5ec864 https://git.kernel.org/stable/c/86163b98891aa9800f6103252e5acc7bb98afb91 https://git.kernel.org/stable/c/dc710c87af3341554d02d634ada1d2036c49a94a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:42.495Z

Updated: 2026-05-11T22:03:51.018Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23282

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-25T11:16:22.823

Modified: 2026-05-22T00:24:34.460

Link: CVE-2026-23282

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23282 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-22T02:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object