CVE-2026-45972 - Vulnerability Details

- smb: client: fix potential UAF and double free in smb2_open_file()

Description

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential UAF and double free in smb2_open_file()

Zero out @err_iov and @err_buftype before retrying SMB2_open() to
prevent an UAF bug if @data != NULL, otherwise a double free.

Published: 2026-05-27

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A bug in the Linux kernel SMB client occurs during the smb2_open_file() operation where the system can experience a use‑after‑free or a double‑free if certain error buffer conditions are not satisfied. This flaw corrupts kernel memory. Based on the description, it is inferred that an attacker might influence the buffers, which could lead to arbitrary code execution or a system crash, thereby compromising integrity and availability.

Affected Systems

All Linux kernel releases that include the SMB client prior to the commit applying the fix; any kernel version before the referenced commits is vulnerable per the advisory links.

Risk and Exploitability

The CVSS score is 9.8, and the EPSS score is below 1%, indicating a low probability of exploitation. The nature of the flaw—kernel‑level memory corruption—implies high damage if the issue is leveraged. The likely attack vector is remote via SMB traffic, but this is inferred because the description does not explicitly state the required conditions. No public exploitation evidence or CISA KEV listing exists, yet the vulnerability can be reached from a network space that can communicate over SMB. The overall risk remains significant, with high impact and low likelihood.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`743f70406264348c0830f38409eb6c40a42fb2db`	affected	< 96e53bb3ee2f354cf6b4ab07bcc56e500f8b3f74
`3a6d6b332f92990958602c1e35ce0173e2dd62e9`	affected	< 7425453ea16dbc3bbb0f6cac4d60b537e5e4d151
`b64e3b5d8d759dd4333992e4ba4dadf9359952c8`	affected	< 4d339b219004869e96c4ce56b8891f83a38da4c0
`9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5`	affected	< e66dcf7bb9c4df5582c82bc3582725abcbfbea73
`e3a43633023e3cacaca60d4b8972d084a2b06236`	affected	< 639deb962986ef2f5e2a6d5a600c66f922471e81
`e3a43633023e3cacaca60d4b8972d084a2b06236`	affected	< ebbbc4bfad4cb355d17c671223d0814ee3ef4eda
`6.1.163`	affected	< 6.1.165
`6.6.124`	affected	< 6.6.128
`6.12.70`	affected	< 6.12.75
`6.18.10`	affected	< 6.18.14

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:-::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[743f70406264348c0830f38409eb6c40a42fb2db,96e53bb3ee2f354cf6b4ab07bcc56e500f8b3f74)`	affected	code_commit	—
`[3a6d6b332f92990958602c1e35ce0173e2dd62e9,7425453ea16dbc3bbb0f6cac4d60b537e5e4d151)`	affected	code_commit	—
`[b64e3b5d8d759dd4333992e4ba4dadf9359952c8,4d339b219004869e96c4ce56b8891f83a38da4c0)`	affected	code_commit	—
`[9ee608a64e37cea5b4b13e436c559dd0fb2ad1b5,e66dcf7bb9c4df5582c82bc3582725abcbfbea73)`	affected	code_commit	—
`[e3a43633023e3cacaca60d4b8972d084a2b06236,639deb962986ef2f5e2a6d5a600c66f922471e81)`	affected	code_commit	—
`[e3a43633023e3cacaca60d4b8972d084a2b06236,ebbbc4bfad4cb355d17c671223d0814ee3ef4eda)`	affected	code_commit	—
`[6.1.163,6.1.165)`	affected	semver	—
`[6.6.124,6.6.128)`	affected	semver	—
`[6.12.70,6.12.75)`	affected	semver	—
`[6.18.10,6.18.14)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	generic	—
`[0,6.19)`	unaffected	generic	—
`[6.1.165,6.2.0]`	unaffected	semver	—
`[6.6.128,6.7.0]`	unaffected	semver	—
`[6.12.75,6.13.0]`	unaffected	semver	—
`[6.18.14,6.19.0]`	unaffected	semver	—
`[6.19.4,6.20.0]`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the commit fixing the smb2_open_file() UAF and double‑free issue.
If a kernel update cannot be applied immediately, restrict SMB traffic to trusted hosts or block the SMB port (445) from untrusted networks to reduce the attack surface.
As a precaution, consider enabling SELinux or AppArmor with strict profiles to limit the impact of any kernel memory corruption that may still occur.

Generated by OpenCVE AI on June 17, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00497.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4d339b219004869e96c4ce56b8891f83a38da4c0
https://git.kernel.org/stable/c/639deb962986ef2f5e2a6d5a600c66f922471e81
https://git.kernel.org/stable/c/7425453ea16dbc3bbb0f6cac4d60b537e5e4d151
https://git.kernel.org/stable/c/96e53bb3ee2f354cf6b4ab07bcc56e500f8b3f74
https://git.kernel.org/stable/c/e66dcf7bb9c4df5582c82bc3582725abcbfbea73
https://git.kernel.org/stable/c/ebbbc4bfad4cb355d17c671223d0814ee3ef4eda
https://lore.kernel.org/linux-cve-announce/2026052736-CVE-2026-45972-6b55@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45972
https://www.cve.org/CVERecord?id=CVE-2026-45972

History

Tue, 16 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:-::::::

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 28 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026052736-CVE-2026-45972-6b55@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45972 https://www.cve.org/CVERecord?id=CVE-2026-45972
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 27 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free.
Title		smb: client: fix potential UAF and double free in smb2_open_file()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4d339b219004869e96c4ce56b8891f83a38da4c0 https://git.kernel.org/stable/c/639deb962986ef2f5e2a6d5a600c66f922471e81 https://git.kernel.org/stable/c/7425453ea16dbc3bbb0f6cac4d60b537e5e4d151 https://git.kernel.org/stable/c/96e53bb3ee2f354cf6b4ab07bcc56e500f8b3f74 https://git.kernel.org/stable/c/e66dcf7bb9c4df5582c82bc3582725abcbfbea73 https://git.kernel.org/stable/c/ebbbc4bfad4cb355d17c671223d0814ee3ef4eda

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:18:31.500Z

Updated: 2026-05-30T10:46:21.265Z

Reserved: 2026-05-13T15:03:33.090Z

Link: CVE-2026-45972

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:14.173

Modified: 2026-06-16T02:42:11.017

Link: CVE-2026-45972

Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45972 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-17T00:30:15Z

Weaknesses

CWE-416
Use After Free
CWE-825
Expired Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object