Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open

ksmbd_lookup_fd_cguid() returns a ksmbd_file with its refcount
incremented via ksmbd_fp_get(). parse_durable_handle_context() in
the DURABLE_REQ_V2 case properly releases this reference on every
path inside the ClientGUID-match branch, either by calling
ksmbd_put_durable_fd() or by transferring ownership to dh_info->fp
for a successful reconnect. However, when an entry exists in the
global file table with the same CreateGuid but a different
ClientGUID, the code simply falls through to the new-open path
without dropping the reference obtained from ksmbd_lookup_fd_cguid().

Per MS-SMB2 section 3.3.5.9.10 ("Handling the
SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create Context"), the server
MUST locate an Open whose Open.CreateGuid matches the request's
CreateGuid AND whose Open.ClientGuid matches the ClientGuid of the
connection that received the request. If no such Open is found, the
server MUST continue with the normal open execution phase. A
CreateGuid hit with a ClientGUID mismatch is therefore the
"Open not found" case: proceeding with a new open is correct, but
the reference obtained purely as a side effect of the lookup must
not be leaked.

Repeated requests that hit this mismatch pin global_ft entries,
prevent __ksmbd_close_fd() from ever running for the corresponding
files, and defeat the durable scavenger, leading to long-lived
resource leaks.

Release the reference in the mismatch path and clear dh_info->fp so
subsequent logic does not mistake a non-matching lookup result for
a reconnect target.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ksmbd SMB2 server contains a reference-count bug that leaks durable file descriptors when a CreateGuid matches but the ClientGUID differs. The kernel retains a reference taken during lookup and never releases it on a mismatch, pinning global file table entries and preventing normal close and scavenging. The accumulation of leaked references can exhaust kernel resources, potentially leading to denial of service. This is a classic resource-leak weakness (CWE-772).

Affected Systems

The vulnerability affects the ksmbd component of the Linux kernel, which implements SMB2/3 server functionality. All kernel releases containing the original buggy code are susceptible; users should determine if their running kernel includes the ksmbd durable-fd leak bug and upgrade to.

Risk and Exploitability

An attacker can trigger the bug by sending repeated SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 messages from a remote SMB connection. The vulnerability does not require privileged access and can be exercised over a network, so remote exploitation is possible. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, but the lack of a mitigation in the kernel means an attacker can repeatedly drive the resource leak until system resources are exhausted.

Generated by OpenCVE AI on June 24, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the ksmbd durable file‑descriptor leak fix.
  • Disable SMB durable handle support in the smbd or systemd-smbd configuration to prevent the request pattern that triggers the leak.
  • Restart the SMB service (or reboot) to load the patched kernel and ensure the new configuration is active.

Generated by OpenCVE AI on June 24, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open ksmbd_lookup_fd_cguid() returns a ksmbd_file with its refcount incremented via ksmbd_fp_get(). parse_durable_handle_context() in the DURABLE_REQ_V2 case properly releases this reference on every path inside the ClientGUID-match branch, either by calling ksmbd_put_durable_fd() or by transferring ownership to dh_info->fp for a successful reconnect. However, when an entry exists in the global file table with the same CreateGuid but a different ClientGUID, the code simply falls through to the new-open path without dropping the reference obtained from ksmbd_lookup_fd_cguid(). Per MS-SMB2 section 3.3.5.9.10 ("Handling the SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create Context"), the server MUST locate an Open whose Open.CreateGuid matches the request's CreateGuid AND whose Open.ClientGuid matches the ClientGuid of the connection that received the request. If no such Open is found, the server MUST continue with the normal open execution phase. A CreateGuid hit with a ClientGUID mismatch is therefore the "Open not found" case: proceeding with a new open is correct, but the reference obtained purely as a side effect of the lookup must not be leaked. Repeated requests that hit this mismatch pin global_ft entries, prevent __ksmbd_close_fd() from ever running for the corresponding files, and defeat the durable scavenger, leading to long-lived resource leaks. Release the reference in the mismatch path and clear dh_info->fp so subsequent logic does not mistake a non-matching lookup result for a reconnect target.
Title ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:09.113Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52996

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:45:05Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime