Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE

FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse
attribute and saves it through xattr without any permission checks.

This exposes two issues:

1) A client on a read-only share can change the sparse attribute
on files it opened, even though the share is read-only.
Other FSCTL write operations already check
test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE),
but FSCTL_SET_SPARSE does not.

2) Even on writable shares, clients without FILE_WRITE_DATA or
FILE_WRITE_ATTRIBUTES access should not modify the sparse
attribute. Similar handle-level checks exist in other functions
but are missing here.

Add both share-level writable check and per-handle access check.
Use goto out on error to avoid leaking file references.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s ksmbd server had an omission in its handling of the FSCTL_SET_SPARSE control code: the routine that applies the sparse flag to a file wrote the change to extended attributes without any permission checks. As a result, a SMB client that could send the FSCTL_SET_SPARSE request could alter a file’s sparse attribute even when the share is set to read‑only or when the client does not hold FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES rights. This flaw enables an attacker to change file metadata and disk usage characteristics without proper authorization, and it is rooted in improper access control (CWE‑266).

Affected Systems

All Linux kernel installations that run the ksmbd SMB server are affected. The flaw is present wherever the unpatched implementation of FSCTL_SET_SPARSE resides, regardless of distribution or specific kernel version, because the patch is made to core ksmbd code used by all enabled SMB services.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low probability of exploitation and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack path is straightforward for any SMB client that can send the FSCTL_SET_SPARSE command. The vulnerability poses a moderate risk to data integrity and potentially system stability by allowing unauthorized modification of file attributes on a target system.

Generated by OpenCVE AI on June 25, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the ksmbd FSCTL_SET_SPARSE permission‑check patch
  • If an immediate kernel upgrade is not feasible, configure SMB shares to be read‑only or enforce proper FILE_WRITE_DATA/FILE_WRITE_ATTRIBUTES permissions in smb.conf so that only authorized clients can issue write operations
  • Configure or disable SMB support for FSCTL_SET_SPARSE (if the SMB server configuration allows disabling this control code) to prevent clients from attempting to modify sparse attributes

Generated by OpenCVE AI on June 25, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-306

Thu, 25 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-306

Wed, 24 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse attribute and saves it through xattr without any permission checks. This exposes two issues: 1) A client on a read-only share can change the sparse attribute on files it opened, even though the share is read-only. Other FSCTL write operations already check test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE), but FSCTL_SET_SPARSE does not. 2) Even on writable shares, clients without FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES access should not modify the sparse attribute. Similar handle-level checks exist in other functions but are missing here. Add both share-level writable check and per-handle access check. Use goto out on error to avoid leaking file references.
Title ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T09:59:09.149Z

Reserved: 2026-06-09T07:44:35.371Z

Link: CVE-2026-52944

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52944 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:30:17Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment