Impact
In the Linux kernel’s ksmbd SMB server, a logic flaw allows the conn->binding flag—set during a SESSION_SETUP—to remain true after the session completes. The flag is connection‑wide and makes the global session lookup resolve any session by its identifier, even if the session was not registered to the current connection. Based on the description, it is inferred that an attacker could misuse this behavior to obtain access to SMB sessions that they should not be able to reach, potentially allowing read or write of sensitive data within those sessions.
Affected Systems
All Linux kernel releases that include the ksmbd SMB server before the upstream fix are vulnerable. The flaw applies to any distribution kernel that has not yet incorporated the patch that tightens the global lookup to require the session’s channel registration. Administrators should verify whether their running kernel contains the patch and whether ksmbd is enabled and exposed to external clients.
Risk and Exploitability
The CVSS score of 8.8 indicates high severity. The EPSS score is less than 1% and the vulnerability is not listed in CISA KEV, indicating a very low but non‑zero exploitation probability. The likely attack vector is initiating an SMB connection and performing a SESSION_SETUP to trigger the vulnerable flag, after which, if the SMB service is reachable from untrusted hosts, the attacker can access unauthorized sessions. No privileged kernel access is required; exposure of the SMB service to external networks is the primary prerequisite. Overall, the risk is moderate to high for environments where ksmbd is enabled and reachable from external networks.
OpenCVE Enrichment
Debian DLA
Debian DSA