Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in smb2_open during durable reconnect

In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference
to the durable file descriptor early during the durable reconnect
process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails)
or a scavenger accesses the file, it leads to a use-after-free when
accessing fp properties (eg fp->create_time).

Move the single put to the end of the function below err_out2 so fp
stays valid until smb2_open returns.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in the ksmbd module’s smb2_open routine during a durable reconnect. The function drops a reference to a durable file descriptor too early, allowing subsequent code paths to dereference freed memory. This memory corruption could lead to a kernel panic or provide an attacker with the opportunity to execute code with kernel privileges, though the advisory does not explicitly document privilege escalation or code execution. The weakness is identified as CWE‑911, which describes a memory reuse‑after‑free flaw that can cause integrity and confidentiality breaches.

Affected Systems

The vulnerability affects the ksmbd component of the Linux kernel. Any kernel release that includes the ksmbd module and has not incorporated the patch commit referenced in the advisory is potentially vulnerable. Specific version numbers are not listed, so all installations of the kernel that provide SMB server functionality should verify whether the fix has been applied.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low but non‑zero probability of exploitation. The CVSS score of 9.8 places the vulnerability at critical severity. Attackers would most likely trigger the flaw by establishing an SMB connection that initiates a durable reconnect path, a scenario that is inferred from the description. The vulnerability is not currently listed in CISA’s KEV catalog. Given the kernel context, exploitation could compromise system integrity, but the advisory does not confirm that arbitrary code execution is guaranteed.

Generated by OpenCVE AI on June 28, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the ksmbd patch commit linked in the advisory.
  • If an update cannot be applied immediately, disable the ksmbd module or stop SMB services that expose the vulnerable code path to reduce exposure.
  • Monitor system logs for abnormal SMB activity or kernel panics while awaiting the patch, and restrict SMB access to trusted hosts as an additional precaution.

Generated by OpenCVE AI on June 28, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_open during durable reconnect In smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails) or a scavenger accesses the file, it leads to a use-after-free when accessing fp properties (eg fp->create_time). Move the single put to the end of the function below err_out2 so fp stays valid until smb2_open returns.
Title ksmbd: fix use-after-free in smb2_open during durable reconnect
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:38:01.524Z

Reserved: 2026-06-09T07:44:35.378Z

Link: CVE-2026-53010

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53010 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-911

    Improper Update of Reference Count