Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: scope conn->binding slowpath to bound sessions only

When the binding SESSION_SETUP sets conn->binding = true, the flag stays
set after the call so that the global session lookup in
ksmbd_session_lookup_all() can find the session, which was not added to
conn->sessions. Because the flag is connection-wide, the global lookup
path will also resolve any other session by id if asked.

Tighten the global lookup so that the returned session must have this
connection registered in its channel xarray (sess->ksmbd_chann_list).
The channel entry is installed by the existing binding_session path in
ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes
successfully, so this condition is a strict equivalent of "this
connection has been accepted as a channel of this session". Connections
that have not bound to a given session cannot reach it via the global
table.

The existing conn->binding gate for entering the slowpath is preserved
so that non-binding connections keep the fast-path-only behavior, and
the session->state check is unchanged.
Published: 2026-06-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s ksmbd SMB server, a logic flaw allows the conn->binding flag—set during a SESSION_SETUP—to remain true after the session completes. The flag is connection‑wide and makes the global session lookup resolve any session by its identifier, even if the session was not registered to the current connection. Based on the description, it is inferred that an attacker could misuse this behavior to obtain access to SMB sessions that they should not be able to reach, potentially allowing read or write of sensitive data within those sessions.

Affected Systems

All Linux kernel releases that include the ksmbd SMB server before the upstream fix are vulnerable. The flaw applies to any distribution kernel that has not yet incorporated the patch that tightens the global lookup to require the session’s channel registration. Administrators should verify whether their running kernel contains the patch and whether ksmbd is enabled and exposed to external clients.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is less than 1% and the vulnerability is not listed in CISA KEV, indicating a very low but non‑zero exploitation probability. The likely attack vector is initiating an SMB connection and performing a SESSION_SETUP to trigger the vulnerable flag, after which, if the SMB service is reachable from untrusted hosts, the attacker can access unauthorized sessions. No privileged kernel access is required; exposure of the SMB service to external networks is the primary prerequisite. Overall, the risk is moderate to high for environments where ksmbd is enabled and reachable from external networks.

Generated by OpenCVE AI on June 28, 2026 at 13:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that incorporates the ksmbd global lookup fix
  • Reboot or reload the system so the updated kernel becomes active
  • If a patch is not yet available, restrict ksmbd to trusted hosts or disable it for external connections until the patch is applied
  • Monitor SMB traffic for abnormal session lookups or unauthorized session access attempts

Generated by OpenCVE AI on June 28, 2026 at 13:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6355-1 linux security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Tue, 23 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 23 Jun 2026 12:15:00 +0000


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Sun, 21 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: scope conn->binding slowpath to bound sessions only When the binding SESSION_SETUP sets conn->binding = true, the flag stays set after the call so that the global session lookup in ksmbd_session_lookup_all() can find the session, which was not added to conn->sessions. Because the flag is connection-wide, the global lookup path will also resolve any other session by id if asked. Tighten the global lookup so that the returned session must have this connection registered in its channel xarray (sess->ksmbd_chann_list). The channel entry is installed by the existing binding_session path in ntlm_authenticate()/krb5_authenticate() when a SESSION_SETUP completes successfully, so this condition is a strict equivalent of "this connection has been accepted as a channel of this session". Connections that have not bound to a given session cannot reach it via the global table. The existing conn->binding gate for entering the slowpath is preserved so that non-binding connections keep the fast-path-only behavior, and the session->state check is unchanged.
Title ksmbd: scope conn->binding slowpath to bound sessions only
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:29.042Z

Reserved: 2026-06-09T07:44:35.366Z

Link: CVE-2026-52911

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-21T00:00:00Z

Links: CVE-2026-52911 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:30:06Z

Weaknesses
  • CWE-488

    Exposure of Data Element to Wrong Session