Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths

There are two places where ksmbd_vfs_kern_path_end_removing() needs to be
called in order to balance what the corresponding successful call to
ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and
put the taken references. Otherwise there might be potential deadlocks
and unbalanced locks which are caught like:

BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596
last function: handle_ksmbd_work
2 locks held by kworker/5:21/7596:
#0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660
#1: ffff888130e966c0 (&type->i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660
CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
Workqueue: ksmbd-io handle_ksmbd_work
Call Trace:
<TASK>
dump_stack_lvl+0x44/0x5b
process_one_work.cold+0x57/0x5c
worker_thread+0x82/0x600
kthread+0x153/0x190
ret_from_fork+0x22/0x30
</TASK>

Found by Linux Verification Center (linuxtesting.org).
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the ksmbd path removal function is not invoked on some error branches within the Linux kernel. This omission can leave inode locks and references unreleased, resulting in deadlocks or leaked locks that are detected as “workqueue leaked lock” errors. Based on the description, it is inferred that an attacker with sufficient access to trigger these error paths could destabilize the system, leading to kernel panics, unresponsive services or degraded performance. The weakness pertains to improper synchronization and resource deallocation, classifying it as a deadlock scenario (CWE-503).

Affected Systems

All Linux kernels that incorporate the ksmbd module are affected, particularly those using older releases prior to the patch that added ksmbd_vfs_kern_path_end_removing() calls on error paths. The CPE identifies the linux_kernel; specific version details are not listed in the CVE data. Vendor distributions that have not yet applied the patch to their kernel package remain vulnerable.

Risk and Exploitability

No CVSS or EPSS scores are available for this entry, and the vulnerability is not listed in CISA’s KEV catalog. The risk remains uncertain. Based on the description, it is inferred that an attacker able to trigger the problematic paths could crash or destabilize kernel workqueues, potentially enabling denial of service or facilitating further escalation. The likely attack vector is inferred to involve provoking kernel faults through malformed SMB requests or other interactions with ksmbd, requiring that the target system has ksmbd enabled.

Generated by OpenCVE AI on May 27, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that invokes ksmbd_vfs_kern_path_end_removing() on all error paths; the patch can be obtained from the referenced commit logs.
  • Upgrade to a kernel version from the vendor that incorporates the ksmbd fix, such as the latest stable release of your distribution’s kernel module.
  • If an immediate upgrade is not feasible, disable the ksmbd service or remount CIFS shares using an alternative filesystem type to avoid exercising the vulnerable code path.

Generated by OpenCVE AI on May 27, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-503

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths There are two places where ksmbd_vfs_kern_path_end_removing() needs to be called in order to balance what the corresponding successful call to ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and put the taken references. Otherwise there might be potential deadlocks and unbalanced locks which are caught like: BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596 last function: handle_ksmbd_work 2 locks held by kworker/5:21/7596: #0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660 #1: ffff888130e966c0 (&type->i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660 CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 Workqueue: ksmbd-io handle_ksmbd_work Call Trace: <TASK> dump_stack_lvl+0x44/0x5b process_one_work.cold+0x57/0x5c worker_thread+0x82/0x600 kthread+0x153/0x190 ret_from_fork+0x22/0x30 </TASK> Found by Linux Verification Center (linuxtesting.org).
Title ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:43.229Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45924

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:07.413

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:15:25Z

Weaknesses