CVE-2026-53046 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

ksmbd_crypt_message() sets a NULL completion callback on AEAD requests
and does not handle the -EINPROGRESS return code from async hardware
crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns
-EINPROGRESS, ksmbd treats it as an error and immediately frees the
request while the hardware DMA operation is still in flight. The DMA
completion callback then dereferences freed memory, causing a NULL
pointer crash:

pc : qce_skcipher_done+0x24/0x174
lr : vchan_complete+0x230/0x27c
...
el1h_64_irq+0x68/0x6c
ksmbd_free_work_struct+0x20/0x118 [ksmbd]
ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]

Use the standard crypto_wait_req() pattern with crypto_req_done() as
the completion callback, matching the approach used by the SMB client
in fs/smb/client/smb2ops.c. This properly handles both synchronous
engines (immediate return) and async engines (-EINPROGRESS followed
by callback notification).

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free bug in the Linux kernel’s ksmbd module enables a NULL pointer dereference during asynchronous cryptographic operations with the Qualcomm Crypto Engine; the bug is triggered when the engine returns -EINPROGRESS and ksmbd treats it as an error, freeing the request before the DMA completion callback executes. This flaw can cause a kernel panic, leading to a denial of service on the affected system.

Affected Systems

The vulnerability impacts Linux kernel images that include the ksmbd module and support the Qualcomm Crypto Engine. No specific kernel version range is indicated in the available data, so any kernel build using ksmbd and the Qualcomm engine is potentially affected.

Risk and Exploitability

The flaw results only in a system crash and does not provide remote code execution or data exfiltration. The CVSS score is not available, but the nature of the bug suggests moderate to high severity in terms of availability impact. Local users with the ability to trigger ksmbd’s crypto path, or remote users who can interact with the SMB server, could potentially exploit the crash; however, the exact attack vector is not explicitly documented, so its likelihood and exploitability remain uncertain. The vulnerability is not listed in CISA’s KEV catalog and no EPSS score is present.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 57b47231055b431ed0a1a55f33cac32981564405
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< cc2da381875d4a67026e4c8feb3dba51a2a2d1bc
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 8fcefe840fa8c14ce667768e5b043286ac3bbcbe
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 8ef183216feaa24b66b940510d8b68f680eb56e9
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 7164b3953cefd540e7ebca828c793bc6869cfbc4
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< b46aa129fa2807bfe1545fe74d9295d53c51520b
`e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9`	affected	< 3e298897f41c61450c2e7a4f457e8b2485eb35b3

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install a kernel release that includes the ksmbd_crypt_message() fix and the crypto_wait_req()/crypto_req_done() pattern changes
If a kernel update is not immediately possible, consider disabling ksmbd (the SMB server) to mitigate exposure until a patched kernel is deployed
Monitor system logs for kernel panic events related to qce_skcipher_done to detect any remaining exploitation attempts

Generated by OpenCVE AI on June 24, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3e298897f41c61450c2e7a4f457e8b2485eb35b3
https://git.kernel.org/stable/c/57b47231055b431ed0a1a55f33cac32981564405
https://git.kernel.org/stable/c/7164b3953cefd540e7ebca828c793bc6869cfbc4
https://git.kernel.org/stable/c/8ef183216feaa24b66b940510d8b68f680eb56e9
https://git.kernel.org/stable/c/8fcefe840fa8c14ce667768e5b043286ac3bbcbe
https://git.kernel.org/stable/c/b46aa129fa2807bfe1545fe74d9295d53c51520b
https://git.kernel.org/stable/c/cc2da381875d4a67026e4c8feb3dba51a2a2d1bc

History

Wed, 24 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine ksmbd_crypt_message() sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns -EINPROGRESS, ksmbd treats it as an error and immediately frees the request while the hardware DMA operation is still in flight. The DMA completion callback then dereferences freed memory, causing a NULL pointer crash: pc : qce_skcipher_done+0x24/0x174 lr : vchan_complete+0x230/0x27c ... el1h_64_irq+0x68/0x6c ksmbd_free_work_struct+0x20/0x118 [ksmbd] ksmbd_exit_file_cache+0x694/0xa4c [ksmbd] Use the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, matching the approach used by the SMB client in fs/smb/client/smb2ops.c. This properly handles both synchronous engines (immediate return) and async engines (-EINPROGRESS followed by callback notification).
Title		ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3e298897f41c61450c2e7a4f457e8b2485eb35b3 https://git.kernel.org/stable/c/57b47231055b431ed0a1a55f33cac32981564405 https://git.kernel.org/stable/c/7164b3953cefd540e7ebca828c793bc6869cfbc4 https://git.kernel.org/stable/c/8ef183216feaa24b66b940510d8b68f680eb56e9 https://git.kernel.org/stable/c/8fcefe840fa8c14ce667768e5b043286ac3bbcbe https://git.kernel.org/stable/c/b46aa129fa2807bfe1545fe74d9295d53c51520b https://git.kernel.org/stable/c/cc2da381875d4a67026e4c8feb3dba51a2a2d1bc

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:52.676Z

Updated: 2026-06-24T16:29:52.676Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53046

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:30:08Z

Weaknesses

CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object