The vulnerability is a use‑after‑free in the Linux kernel SMB server. After an SMB open request completes, the server releases an RCU read lock while still holding a reference to a file operation pointer. This race creates a window during which the pointer can be freed and later dereferenced, allowing an attacker who can send crafted SMB traffic to trigger a use‑after‑free that may lead to arbitrary code execution or system crash. Because the flaw resides in the kernel SMB implementation, it can affect any privileged code running on the host that handles SMB requests.

Affected systems are all Linux distributions that ship a Linux kernel version containing the buggy SMB server implementation. The exact affected kernel versions are not listed in the CVE data, so any system running a kernel prior to the patch that eliminates the use‑after‑free in smb2_open should be considered at risk. The vulnerability is specific to the SMB server component of the Linux kernel.

The exploit requires the ability to send SMB traffic to the vulnerable server, typically over port 445. An attacker can craft SMB open requests that trigger the use‑after‑free, potentially causing a crash or, if attacker can control the freed memory region, executing arbitrary code with kernel privileges. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the lack of an exploitation mitigation and the kernel‑level nature of the flaw imply a high risk of exploitation if unpatched. The fix removes the pointer dereference after the RCU read lock, eliminating the race.