Description
In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL

A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on
conn->async_requests via setup_async_work(), with cancel_fn =
smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.

When the request is cancelled, the worker frees the file_lock with
locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never
reaches release_async_work() -- the only site that unlinks the work from
conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays
matchable on async_requests with a live cancel_fn pointing at the freed file_lock,
until connection teardown finally runs release_async_work().

smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second
SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs
smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:

BUG: KASAN: slab-use-after-free in __locks_delete_block
__locks_delete_block
locks_delete_block
ksmbd_vfs_posix_lock_unblock
smb2_remove_blocked_lock
smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn
handle_ksmbd_work
Allocated by ...: locks_alloc_lock <- smb2_lock
Freed by ...: locks_free_lock <- smb2_lock (cancelled branch)
... cache file_lock_cache of size 192

Reproduced on mainline with KASAN by an authenticated SMB client.

Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback
cannot be fired a second time.
Published: 2026-06-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A deferred byte‑range lock in the Linux kernel’s ksmbd SMB2 handler was freed prematurely while its cancel callback remained registered. A second SMB2_CANCEL request can then invoke the freed callback, leading to a slab use‑after‑free that corrupts kernel memory. An authenticated SMB client that can communicate with the SMB service can trigger the double CANCEL sequence, potentially causing a crash or providing an avenue for privilege escalation.

Affected Systems

All Linux kernel installations that contain the ksmbd SMB2 code and have not yet incorporated the patch identified by commit 0da2e073f9cbf... are affected. No specific version range is listed, so any kernel built before the inclusion of the fix is vulnerable.

Risk and Exploitability

The likely attack vector is an authenticated SMB client that sends two consecutive SMB2_CANCEL requests for the same AsyncId, exploiting the missing state guard in smb2_cancel(). Based on the description, this triggers a slab use‑after‑free in the kernel’s ksmbd SMB2 handler, potentially causing a kernel crash, loss of availability, or privilege escalation if the attacker can execute code. The EPSS score of less than 1% indicates a low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 8.8 indicates high severity. No other conditions are required beyond reaching the SMB service on an affected kernel.

Generated by OpenCVE AI on June 28, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the ksmbd patch committed as 0da2e073f9cbf... that adds a guard to prevent the same SMB2_CANCEL from invoking a freed cancel function, fixing the use‑after‑free described by CWE‑1341.
  • Restrict SMB service accessibility by limiting connections to trusted hosts or using firewall rules, so only authenticated clients that could initiate the double CANCEL sequence can reach the server.
  • Restart the SMB service (or reboot the system) after applying the patch to ensure the new code is in use.

Generated by OpenCVE AI on June 28, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 00:15:00 +0000


Thu, 25 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on conn->async_requests via setup_async_work(), with cancel_fn = smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock. When the request is cancelled, the worker frees the file_lock with locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never reaches release_async_work() -- the only site that unlinks the work from conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays matchable on async_requests with a live cancel_fn pointing at the freed file_lock, until connection teardown finally runs release_async_work(). smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free: BUG: KASAN: slab-use-after-free in __locks_delete_block __locks_delete_block locks_delete_block ksmbd_vfs_posix_lock_unblock smb2_remove_blocked_lock smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn handle_ksmbd_work Allocated by ...: locks_alloc_lock <- smb2_lock Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) ... cache file_lock_cache of size 192 Reproduced on mainline with KASAN by an authenticated SMB client. Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.
Title ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-29T04:18:56.058Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53198

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53198 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:15:05Z

Weaknesses
  • CWE-1341

    Multiple Releases of Same Resource or Handle