Impact
A deferred byte‑range lock in the Linux kernel’s ksmbd SMB2 handler was freed prematurely while its cancel callback remained registered. A second SMB2_CANCEL request can then invoke the freed callback, leading to a slab use‑after‑free that corrupts kernel memory. An authenticated SMB client that can communicate with the SMB service can trigger the double CANCEL sequence, potentially causing a crash or providing an avenue for privilege escalation.
Affected Systems
All Linux kernel installations that contain the ksmbd SMB2 code and have not yet incorporated the patch identified by commit 0da2e073f9cbf... are affected. No specific version range is listed, so any kernel built before the inclusion of the fix is vulnerable.
Risk and Exploitability
The likely attack vector is an authenticated SMB client that sends two consecutive SMB2_CANCEL requests for the same AsyncId, exploiting the missing state guard in smb2_cancel(). Based on the description, this triggers a slab use‑after‑free in the kernel’s ksmbd SMB2 handler, potentially causing a kernel crash, loss of availability, or privilege escalation if the attacker can execute code. The EPSS score of less than 1% indicates a low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 8.8 indicates high severity. No other conditions are required beyond reaching the SMB service on an affected kernel.
OpenCVE Enrichment
Debian DLA